The year 2017 witnessed some of the most deadly cyber attacks in the recent history and it looks like it's going to get much worse as a new destructive malware dubbed as 'FreeMilk' is on the prowl.
Globally acclaimed internet security watchdog, Palo Alto Networks Unit 42 has uncovered a sneaky FreeMilk malware that can infiltrate the computers with malicious codes and retrieve sensitive information without ever getting noticed by the system administrator.
How FreeMilk malware affects victim computer?
FreeMilk is a spear phishing category malware which is capable of high-jacking email conversation and mimic a known email sender to the victim.
It is believed that hackers individually target victims and monitor the conversation between the former and a sender who constantly exchanges messages.
After a thorough research, cybercriminals prepare a well-disguised mail which happens to have the same name to pose as a legitimate sender and the unsuspecting naive users open the email compromising their system.
Once the FreeMilk malware is inside the computer, it downloads two malicious packages -- PoohMilk and Freenki from hackers-controlled servers with legitimate domain names.
Also read: Yahoo 2013 Hacking: Over 3 billion user accounts compromised
The PoohMilk has two roles, one is to run the Freenki code, and once that is done, it then searches through the computer to find "wsatra.tmp" in the user's temp folder. "If found, it reads its contents hoping to identify a path which is then searched in order to identify any file with an LNK extension, the same path is then searched for files with a ZIP extension. The exact reason why it looks for *.lnk files is unclear. However, if it finds a *.zip file, it extracts its contents and copies the data to a file under the user's temp folder," Palo Alto Networks Unit 42 said in the report.
What's more shocking is that PoohMilk always tries to install more malicious payloads in order to lower the chances of getting exposed.
And the second package Freenki will try to collect host's computer sensitive information including MAC address, username, computer name, processes running on the computer and also capture screenshots of the infected system and send all the information to a command server for the hackers to store and use in future attacks or ask for ransom in exchange for stolen data.
Furthermore, if required, Freenki acts as second-stage downloader to further retrieve more information. So far, researchers haven't been able to identify any payloads dropped by Freenki in the infected system, but it will be known soon.
[Note: Media Access Control address (MAC address) of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment]
FreeMilk is not actually a new malware, hackers once used Microsoft Word CVE-2017-0199 vulnerability to attack select individuals earlier in the year and it was eventually fixed by April 2017.
So far, FreeMilk is said to have affected a bank in the Middle East, a trading and intellectual property service company in Europe, a big international sports gear company and several individuals with ties to select countries in North East Asia.
Here's how to protect your PCs from ransomware and malware:
- Always keep your PCs updated with the latest firmware; most software companies including Microsoft and Apple usually send software updates weekly or monthly and make sure to update them immediately.
- Make sure to use premium anti-virus software which also provides malware protection and Internet security
- Never open email sent from unknown senders
- Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.
- Disable Remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configurations
- Never install plugins (for browsers) and application software on the PCs from un-familiar publishers
- System administrators in corporate companies should establish a Sender Policy Framework (SPF) for their domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
Additional security measures that may be considered by system administrators at corporate firms:
- Use RDP Gateways for better management
- Change the listening port for Remote Desktop
- Tunnel Remote Desktop connections through IPSec or SSH
- Two-factor authentication may also be considered for highly critical systems
