By Nermeen Nabil Khear 
- Security researchers spot new piece of malware called FinalDraft
- It gets commands from a drafted email
- It can exfiltrate data, run PowerShell, and more
Cybersecurity researchers from Elastic Security Labs have discovered a new piece of malware which abuses draft email messages in Outlook for data exfiltration, PowerShell execution, and more.
The malware is part of a wider toolkit used in a campaign called REF7707 targeting government organizations in South America, and Southeast Asia.
As per the researchers, the toolkit comprises a couple of tools: a loader called PathLoader, the malware called FinalDraft, and multiple post-exploitation utilities.
Speeding up
The attack starts with the victim somehow being exposed to the loader. While the researchers don’t detail how that happens, it’s safe to assume the usual channels: phishing, social engineering, fake cracks to commercial software, and similar.
The loader installs FinalDraft, which establishes a communications channel through Microsoft Graph API. It does so by using Outlook email drafts. It proceeds to receive an OAuth token from Microsoft, using a refresh token embedded in its configuration. It stores it in the Windows Registry, allowing cybercriminals persistent access to the compromised endpoint.
The malware allows the attackers to perform a whole swathe of commands, including exfiltrating sensitive data, creating covert network tunnels, tampering with local files, executing PowerShell, and more. After performing these commands, the malware deletes them, making analysis even harder.
The researchers found the malware on a computer belonging to a foreign ministry in South America. However, after analyzing its infrastructure, Elastic has seen links to victims in Southeast Asia, as well. The campaign targets both Windows and LInux devices.
The attack was not linked to any known threat actors, so we don’t know if this was a state-sponsored play or not. However, given that the goal seems to be espionage, it’s safe to assume nation-state attacks. In-depth analysis, including detection mechanisms, mitigations, and YARA rules, can be found on this link.
You might also like
- Dangerous Microsoft Outlook flaw could let hackers send out malware via email
- We’ve rounded up the best password managers
- Take a look at our guide to the best authenticator app
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.