HQ/EMEAFind out how we can help your business
The newly discovered malware strain, FinalDraft, has allegedly utilised the Outlook email drafts as a command-and-control server in its attacks against the South American ministry.
Researchers who uncovered the campaign explained that it uses a complete toolset with a proprietary malware loader called PathLoader, the FinalDraft backdoor, and several post-exploitation utilities.
Moreover, this operation exploits Outlook to achieve covert communications, allowing the attackers to execute various activities like data exfiltration, proxying, process injection, and lateral movement with as few traces as possible.
The FinalDraft malware campaign begins with the execution of PathLoader on a targeted device.
The FinalDraft malware operation starts with the threat actor infecting a targeted machine with PathLoader. This payload is a small executable file that runs shellcode, including malware obtained from the attacker-controlled infrastructure.
In addition, PathLoader protects the entire operation from static analysis by using API hashing and text encryption. Next, the operators use the primary malware for data exfiltration and process injection.
After loading the configuration and creating a session ID, the malware communicates with Microsoft Graph API by sending and receiving commands via Outlook email drafts.
FinalDraft then acquires an OAuth token from Microsoft using a refresh token encoded in its configuration and saves it to the Windows Registry for future use. Hence, it avoids detection by delivering Outlook drafts rather than emails and fits in with regular Microsoft 365 traffic.
The attacker’s commands are buried in drafts (r_), while their responses are recorded in new drafts (p_). Following execution, the operation will terminate the draft commands, making forensic analysis more difficult.
Furthermore, researchers discovered a Linux version of FinalDraft that still supports Outlook via REST API and Graph API, as well as HTTP/HTTPS, reverse UDP and ICMP, bind/reverse TCP, and DNS-based C2 exchange.
The researchers present the campaign, called REF7707, in a separate study that describes various OpSec errors that contrast with the advanced intrusion set deployed and resulted in the attacker’s discovery.
REF7707 is a cyber-espionage campaign targeting a South American foreign ministry, but the study of the infrastructure discovered linkages to Southeast Asian victims, implying a more extensive operation.
