First detected in May 2017, FreeMilk is considered a particularly dangerous cyber threat because, once activated, it uses your computer to continue downloading sophisticated malware.
complicated series of events leading up to the malware strike begins with the attacker observing an email exchange. It’s unclear precisely how the attackers achieve this, but it’s likely that they gain access to one party’s email via the usual methods:
- Social engineering
- Phished email
- Trojan, etc.
Hackers then use a spear phishing attack to hit the actual target – the other party in the conversation. When the time is right, they insert an email into the thread. The victim can’t able tell that the email is actually coming from a third party, however, and the correspondence contains harmful files that install malicious code and collect information unnoticed.
PoohMilk and Freenki are the two payloads – the parts that execute the malicious activity – that cyber criminals install on the victim’s system. The payloads draw data from the host and function as a second-stage downloader to accept malware into the system.
What to do if you face a FreeMilk cyber attack
Computers that are not running the latest version of antivirus software or security patches are at risk from FreeMilk; it takes advantage of a CVE-2017-0199 vulnerability in Windows, which was patched in April 2017. FreeMilk is presently not a highly targeted attack, so the range of cyber victims is likely very low. Currently, India is the most vulnerable because of the high volume of Windows systems running that are not updated. The techniques, however can be leveraged by other criminals looking for a new trick.
To avoid a FreeMilk data compromise:
- Use the most up-to-date operating system and antivirus
- Enable automatic updates and stick to the download schedule
- Apply a firewall to block dangerous attacks on your network
- Never click download links on suspicious emails
- Install the latest patches
- Don’t use outdated devices and/or operating systems
- Provide employees with awareness training on phishing and malware
Bad Rabbit uses drive-by attacks to drop malware on unsuspecting victims
When a target visits a legitimate but compromised website, the hacker’s malware dropper secretly installs malicious programs on the victim’s computer. In the case of Bad Rabbit, the malware is disguised as an Adobe Flash Installer. Since Adobe distributes a high volume of Flash updates, there is a higher likelihood that the victim will click the file.
The user needs to manually launch the ‘install_flash_player.exe’ file, which means the target needs to click the link for the malware dropper to work. Once launched, the dropper will try to gain the elevated administrative privileges it needs by using a standard user account control (UAC) prompt. If the dropper gains access, a file named ‘infpub.dat’ will launch.
Once triggered, the malware locks the machine and generates a ransom note and payment page – victims have 40 hours to make a payment to the tune of .05 bitcoins (about $280).
The majority of threats from this ransomware family have occurred in Russia and the Ukraine. Turkey and Germany have suffered fewer attacks. Malwarebytes, a company that develops anti-malware solutions, identified a number of similarities between the Bad Rabbit strain and NotPetya. However, Bad Rabbit may not be as advanced as this year’s other ransomware, but it also does not exploit the Eternal Blue Windows vulnerability, for which Microsoft has issued patches.