A novel malware named FinalDraft has been identified leveraging Outlook email drafts for command-and-control (C2) communications. This sophisticated attack has targeted a government ministry in a South American nation, as discovered by Elastic Security Labs.

Malware Attack Overview

The attack employs a comprehensive toolkit, including a custom malware loader called PathLoader, the FinalDraft backdoor, and various post-exploitation utilities. By exploiting Outlook, attackers achieve covert communication, facilitating data exfiltration, proxying, process injection, and lateral movement with minimal detection.

Attack Chain Details

The intrusion begins with PathLoader compromising the target system. This small executable file executes shellcode, including the FinalDraft malware, sourced from the attacker's infrastructure. PathLoader uses API hashing and string encryption to evade static analysis.

  • Data Exfiltration: FinalDraft is designed to extract files, credentials, and system information.
  • Process Injection: It runs payloads within legitimate processes, such as mspaint.exe.
  • Pass-the-Hash Attacks: It steals authentication credentials for lateral movement.
  • Network Proxying: Creates covert network tunnels.
  • File Operations: Capable of copying, deleting, or overwriting files.
  • PowerShell Execution: Executes commands without launching powershell.exe.

FinalDraft communicates via the Microsoft Graph API, utilizing Outlook email drafts to send and receive commands. This method avoids detection by blending into normal Microsoft 365 traffic. Commands are hidden in drafts (r_), and responses are stored in new drafts (p_). Once executed, these draft commands are deleted, complicating forensic analysis.

Cross-Platform Capabilities

Elastic Security Labs also identified a Linux variant of FinalDraft. This version can still use Outlook through REST API and Graph API, along with HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based C2 exchange.

Campaign Insights

The attack, named REF7707, is a cyber-espionage campaign targeting a South American foreign ministry. However, infrastructure analysis revealed links to victims in Southeast Asia, indicating a broader operation. The investigation also uncovered another malware loader, GuidLoader, capable of decrypting and executing payloads in memory.

Further analysis showed repeated targeting of high-value institutions through compromised endpoints in telecommunications and internet infrastructure providers in Southeast Asia. Additionally, a Southeast Asian university’s public-facing storage system was used to host malware payloads, suggesting prior compromise or a supply chain foothold.

The link has been copied!