FinalDraft Malware Exploits Outlook Drafts – Here’s A Quick Look at What You Need to Know

A new and sophisticated malware named FinalDraft has emerged, exploiting Outlook email drafts for covert command-and-control (C2) communication. This malware targets both Windows and Linux systems, posing a significant threat to cybersecurity. The ability to blend seamlessly into normal Microsoft 365 traffic makes FinalDraft particularly dangerous, as it can operate without raising suspicion.

How FinalDraft Operates

The attack starts with the threat actor compromising the target’s system using a custom malware loader named PathLoader. This lightweight executable file downloads and executes encrypted shellcode from a remote server. PathLoader uses techniques like API hashing and string encryption to avoid static analysis.

Once PathLoader executes the shellcode, it loads the FinalDraft backdoor. This malware focuses on data exfiltration and process injection. It communicates with the command-and-control server through Microsoft Graph API, using Outlook email drafts to send and receive commands. By using drafts instead of sending emails, FinalDraft avoids detection and blends into normal Microsoft 365 traffic.

Methods of Stealthy Communication

FinalDraft retrieves an OAuth token from Microsoft using a refresh token embedded in its configuration. It stores this token in the Windows Registry for persistent access. Commands from the attacker are hidden in drafts (r_) and responses are stored in new drafts (p_). After execution, draft commands are deleted, making forensic analysis harder and detection more unlikely.

Features and Capabilities

FinalDraft supports a total of 37 commands, including:

• Data exfiltration
• Process injection
• File manipulation
• Network proxy functionality

It can harvest system information, start and stop connections to the C2 server, exfiltrate data, list drives and files, create directories, delete and move files, download and upload files, copy files, list running processes, and create or terminate processes.

The malware relies on UDP and TCP listeners, and a named pipe client to proxy data to the C2 server. It overwrites files with zeros before deleting them to prevent file recovery. Additionally, FinalDraft can load additional modules to retrieve networking information, execute PowerShell commands, and start new processes with stolen NTLM hashes using a custom Pass-the-Hash (PTH) toolkit.

Broader Implications

Elastic Security Labs discovered this malware in attacks against a South American foreign ministry. The researchers also found links to compromises in Southeast Asia, suggesting a broader operation. The campaign, dubbed REF7707, highlights the advanced intrusion set used by the attackers, despite some operational security mistakes that led to their exposure.

Conclusion

The FinalDraft malware represents a significant threat due to its stealthy communication methods and extensive capabilities. Organizations must remain vigilant and adopt robust cybersecurity measures to detect and mitigate such sophisticated threats.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it