Cybersecurity researchers from Elastic Security Labs have uncovered a new type of malware known as FinalDraft, which utilizes draft emails in Outlook for nefarious activities such as data exfiltration and executing PowerShell commands. This new strain of malware is part of a broader toolkit that targets government entities across South America and Southeast Asia, identified under the campaign name REF7707.
Table of Contents
Malware Functionality
FinalDraft operates by creating a secure communication channel through the Microsoft Graph API. It employs the following techniques:
- Data Exfiltration: This malware is capable of stealing sensitive information from infected devices.
- PowerShell Execution: Attackers can run PowerShell scripts remotely, allowing for extensive control over the victim’s system.
- Network Tunneling: It can establish covert network tunnels, aiding in unauthorized communications and data transfers.
- File Manipulation: FinalDraft can tamper with local files, enabling further exploitation of the victim’s system.
- Self-Destruction: Post-operation, the malware deletes its commands to complicate forensic analysis.
Attack Vectors
The deployment of FinalDraft is likely initiated through various common attack vectors, although specific methods remain undisclosed. Some probable means include:
- Phishing: Victims may be tricked into clicking malicious links or downloading infected attachments.
- Social Engineering: Deceptive tactics might target individuals or organizations to gain access unwittingly.
- Malicious Software: The malware could be bundled with cracked versions of legitimate software, leading to infiltration.
Upon execution, the loader known as PathLoader installs FinalDraft, which then connects to the Microsoft Graph API using Outlook email drafts. This method allows the malware to retrieve an OAuth token from Microsoft and store it in the Windows Registry, ensuring persistent access for the cybercriminals.
Targeted Victims
Researchers identified FinalDraft on a compromised system within a foreign ministry in South America. Further exploration revealed connections to additional victims situated in Southeast Asia. Targeted entities encompass:
- Government Organizations: Specifically aimed at institutions that might hold critical data.
- Windows and Linux Devices: The malware targets both operating systems, broadening its potential impact.
- Espionage Targets: The operation appears to prioritize surveillance and intelligence gathering.
Operational Security and Detection
The origins of FinalDraft remain unclear, as it has not been linked to any known threat actors. Nonetheless, given its capabilities and strategy, it strongly suggests the modus operandi of state-sponsored hacking. To effectively counter this threat, cybersecurity professionals recommend:
- In-depth Analysis: Organizations should routinely analyze their cybersecurity architecture for weaknesses.
- Detection Mechanisms: Implementing advanced detection capabilities can help in identifying anomalous behavior associated with FinalDraft.
- Mitiation Strategies: Robust security protocols, including training employees on phishing awareness, are crucial.
- YARA Rules: The development and integration of YARA rules can aid in detecting the presence of FinalDraft on networks.
Further information, including detection strategies and additional insights into the functioning of FinalDraft, is available through comprehensive analysis reports published by Elastic Security Labs, accessible here.
You might also like
- Dangerous Microsoft Outlook flaw could let hackers send out malware via email
- We’ve rounded up the best password managers
- Take a look at our guide to the best authenticator app
Leave a comment