In-progress email threads were hacked to spearphish private companies, report says

The ongoing campaign has several eyebrow-raising but ultimately inconclusive links to previous attacks that could be the work of North Korean hackers, according to Palo Alto Networks.
(Getty Images)

A newly identified spearphishing campaign targeting banks, companies and individuals across Eurasia wielded particularly effective tactics and malware, according to new research published by the cybersecurity firm Palo Alto Networks.

The ongoing campaign has several eyebrow-raising but ultimately inconclusive links to previous attacks that could be the work of North Korean hackers, the researchers say.

Attackers in a campaign dubbed “FreeMilk” compromised email accounts tied to a legitimate domain and then hijacked already ongoing conversations in order to send spearphishing messages to targets, the researchers say. The targeted victims include a Middle Eastern bank, European trademark and intellectual property service companies and specific but unidentified individuals connected to a country in “North East Asia.” Palo Alto Networks declined to share more information.

Hijacking ongoing conversations makes identifying spearphishing more difficult. People are trained to look out for unfamiliar email addresses and unsolicited emails as red alarms for phishing but just another reply in an already existent message thread can quietly blend in and lure a victim into the trap of clicking a malicious link.


The campaign, first identified in May 2017, weaponizes a Microsoft Word remote code execution vulnerability which allows the attackers to take complete control of a victim’s machine.

“The threat actor tried to stay under the radar by making malware that only executes when a proper argument is given, hijacked an existing email conversation and carefully crafted each decoy document based on the hijacked conversation to make it look more legitimate,” researchers wrote.

Researchers say the same unidentified attacker is linked to previous campaigns against “dissidents.”

There are several links between FreeMilk and previous hacking campaigns. The same loader is used in another remote administration tool that’s seen limited action in targeted attacks including multiple campaigns against South Korean businesses and attacks against North Korean defectors located within the United Kingdom.

The obvious guess for attribution here is North Korea, a country that has for years been ramping up cyber activity, because of the targets. However, the evidence is not definitive, the researchers take care to warn.


“We were not able to identify the second stage malware delivered via Freenki downloader during the campaign,” Palo Alto Network’s researchers wrote. “We did notice some C2 infrastructure overlap with other cases previously mentioned by TALOS and a private researcher. However, we are not conclusive about these connections as the C2 domains were compromised websites and there were several months between the incidents.”

Latest Podcasts