FreeMilk

A group of hackers is using a sophisticated technique of hijacking ongoing email conversations to insert malicious documents that appear to be coming from a legitimate source and infect other targets participating in the same conversational thread.

This type of attack relies on hackers compromising one of the two or more persons involved in an email exchange.

The attackers silently take over the initial victim's email account, study in-progress conversations, and send a new message in an ongoing thread, carrying boobytrapped documents.

This tactic, albeit not new, has been recently spotted in the wild earlier this year, in May.

Hacker group believed to be operating out of North Korea

These highly sophisticated spear-phishing attacks were detected by US security firm Palo Alto Networks, and have targeted a bank based in the Middle East, a trademark and intellectual property service companies based in Europe, an international sporting organization, and even lone individuals with indirect ties to a country in North East Asia.

"The conversations were in a combination of English and the targets' native languages," Palo Alto's Christopher Budd told Bleeping Computer via email, highlighting the group's sophistication and ability to intertwine itself even in non-English discussions.

This particular campaign — nicknamed FreeMilk by Palo Alto — appears to be carried out by a group that has been active in the past.

While Palo Alto has not named names, previous reports indicate that the hackers might be operating out of North Korea, or have selected targets that are of consistent interest for North Korean authorities.

North Korean hackers have historically targeted companies for both espionage and financial gain. Based on the targeting of this recent campaign, it is hard to grasp the group's exact motives, but they appear to be both.

In the past, the same group behind the FreeMilk attacks has also targeted North Korean defectors hiding in the UK, and South Korean companies, on different occasions.

Novel phishing technique delivered PoohMilk, Freenki malware

For this most recent campaign, the group hijacked conversations by deploying a malicious Word document in ongoing conversation threads.

The document exploited the CVE-2017-0199 vulnerability to download and run a first-stage malware known as PoohMilk, a basic tool with two tasks — get boot persistence via a registry key and download a second stage malware strain named Freenki.

Attackers also used Freenki for two tasks — basic reconnaissance operations to identify hosts with valuable information and to download a third-stage payload.

Questions about links to previous campaign

In a technical report detailing the modus operandi and features of these two malware strains, Palo Alto says it was not able to obtain this third-stage payload, but they did notice an overlap of the malware's command-and-control infrastructure with past operations.

However, the company also notes that the C&C infrastructure was hosted on compromised domains and there were several months between the incidents, meaning different groups might have used the same server.

Palo Alto echoes the same caution in cyber-espionage attribution put forward by Kaspersky researchers at a security conference this week, revealing that APT groups often hack each other to steal tools or frame attacks.