- Security researchers spot new piece of malware called FinalDraft
- It gets commands from a drafted email
- It can exfiltrate data, run PowerShell, and more
Cybersecurity researchers from Elastic Security Labs have discovered a new piece of malware which abuses draft email messages in Outlook for data exfiltration, PowerShell execution, and more.
The malware is part of a wider toolkit used in a campaign called REF7707 targeting government organizations in South America, and Southeast Asia.
As per the researchers, the toolkit comprises a couple of tools: a loader called PathLoader, the malware called FinalDraft, and multiple post-exploitation utilities.
Speeding up
The attack starts with the victim somehow being exposed to the loader. While the researchers don’t detail how that happens, it’s safe to assume the usual channels: phishing, social engineering, fake cracks to commercial software, and similar.
The loader installs FinalDraft, which establishes a communications channel through Microsoft Graph API. It does so by using Outlook email drafts. It proceeds to receive an OAuth token from Microsoft, using a refresh token embedded in its configuration. It stores it in the Windows Registry, allowing cybercriminals persistent access to the compromised endpoint.
The malware allows the attackers to perform a whole swathe of commands, including exfiltrating sensitive data, creating covert network tunnels, tampering with local files, executing PowerShell, and more. After performing these commands, the malware deletes them, making analysis even harder.
The researchers found the malware on a computer belonging to a foreign ministry in South America. However, after analyzing its infrastructure, Elastic has seen links to victims in Southeast Asia, as well. The campaign targets both Windows and LInux devices.
The attack was not linked to any known threat actors, so we don’t know if this was a state-sponsored play or not. However, given that the goal seems to be espionage, it’s safe to assume nation-state attacks. In-depth analysis, including detection mechanisms, mitigations, and YARA rules, can be found on this link.