FreeMilk: A Highly Targeted Spear Phishing Campaign
Contents
In May 2017, Palo Alto Networks Unit 42 identified a limited spear phishing campaign targeting various individuals across the world. The threat actor leveraged the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customized for each target recipient. Our research showed that the spear phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia. We believe that the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send malicious spear phishing emails to the recipients as shown below in Figure 1.
Figure 1 Conversation Hijacking to Deliver Malware
Upon successful exploitation, the malicious document delivered two malware payloads PoohMilk and Freenki.
The targeted victims in this campaign we identified include:
- a bank based in the Middle East
- trademark and intellectual property service companies based in Europe
- an international sporting organisation
- individuals with indirect ties to …
Figure 1 Conversation Hijacking to Deliver Malware
Upon successful exploitation, the malicious document delivered two malware payloads PoohMilk and Freenki.
The targeted victims in this campaign we identified include:
- a bank based in the Middle East
- trademark and intellectual property service companies based in Europe
- an international sporting organisation
- individuals with indirect ties to …
IoC
0f82ea2f92c7e906ee9ffbbd8212be6a8545b9bb0200eda09cce0ba9d7cb1313
1163da8c37ad9ba98d59b921ba8cf8e54bfc1282712cf754f4ff82b63f8e6027
1893af524edea4541c317df288adbf17ae4fcc3a30d403331eae541281c71a3c
201b876bcb97f6c8972cc677bdf1e3e2b2f069ae2ec4653db8af4797884efa30
34478d6692f8c28332751b31fd695b799d4ab36a8c12f7b728e2cb99ae2efcd9
35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2
3d3f31627c09d1e68647b2a66491efb3
40572e1fc37f4376fdb2a33a6c376631ff7bc00b1e64538a0385bc1e09a85574
64ef80e7639c8c5dddf239883617e6740c6b3589f995d11314d36ab64fcfc54c
7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df
99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5
a50543919c52ccaea40155ce35aa791bc86bd634240fb51922827223aca5c88a
ba5905c2fe46bd6734973139e759ba405fd193c2342dfcac396e9d529b57821b
ef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2
http://discgolfglow.com
http://foodforu.heliohost.org
http://old.jrchina.com
http://old.jrchina.com/btob_asiana/appach01.jpg
http://old.jrchina.com/btob_asiana/appach02.jpg
http://old.jrchina.com/btob_asiana/udel_ok.ipp
http://www.ethanpublishing.com
http://www.ethanpublishing.com/ethanpublishing/phpcms/templates/default/member/pub/jquery_min_2.2.6.js
1163da8c37ad9ba98d59b921ba8cf8e54bfc1282712cf754f4ff82b63f8e6027
1893af524edea4541c317df288adbf17ae4fcc3a30d403331eae541281c71a3c
201b876bcb97f6c8972cc677bdf1e3e2b2f069ae2ec4653db8af4797884efa30
34478d6692f8c28332751b31fd695b799d4ab36a8c12f7b728e2cb99ae2efcd9
35273d6c25665a19ac14d469e1436223202be655ee19b5b247cb1afef626c9f2
3d3f31627c09d1e68647b2a66491efb3
40572e1fc37f4376fdb2a33a6c376631ff7bc00b1e64538a0385bc1e09a85574
64ef80e7639c8c5dddf239883617e6740c6b3589f995d11314d36ab64fcfc54c
7f35521cdbaa4e86143656ff9c52cef8d1e5e5f8245860c205364138f82c54df
99c1b4887d96cb94f32b280c1039b3a7e39ad996859ffa6dd011cf3cca4f1ba5
a50543919c52ccaea40155ce35aa791bc86bd634240fb51922827223aca5c88a
ba5905c2fe46bd6734973139e759ba405fd193c2342dfcac396e9d529b57821b
ef40f7ddff404d1193e025081780e32f88883fa4dd496f4189084d772a435cb2
http://discgolfglow.com
http://foodforu.heliohost.org
http://old.jrchina.com
http://old.jrchina.com/btob_asiana/appach01.jpg
http://old.jrchina.com/btob_asiana/appach02.jpg
http://old.jrchina.com/btob_asiana/udel_ok.ipp
http://www.ethanpublishing.com
http://www.ethanpublishing.com/ethanpublishing/phpcms/templates/default/member/pub/jquery_min_2.2.6.js