A sophisticated malware campaign targeting a South American ministry has been uncovered by Elastic Security Labs. The attack utilizes a new malware called FinalDraft, which innovatively leverages Microsoft Outlook email drafts for command-and-control communications.

Key Components and Functionality:
– PathLoader: A custom malware loader with anti-analysis features
– FinalDraft backdoor: Main payload for data exfiltration and process injection
– GuidLoader: Additional malware loader for in-memory payload execution

Attack Methodology:
The malware establishes communication through Microsoft Graph API, using OAuth tokens stored in the Windows Registry. Instead of sending emails, it communicates through draft messages, making detection significantly harder. Command drafts are labeled as “r_” while responses use “p_” format, with both being deleted after execution.

Primary Capabilities:
– Data exfiltration
– Process injection
– Pass-the-Hash attacks
– Network proxying
– File operations
– Covert PowerShell execution

Campaign Details:
Dubbed REF7707, the cyber-espionage operation primarily targeted a South American foreign ministry. However, infrastructure analysis revealed connections to Southeast Asian victims, including telecommunications providers and educational institutions, suggesting a broader attack scope.

A Linux variant of FinalDraft has also been identified, supporting multiple communication protocols including REST API, Graph API, HTTP/HTTPS, UDP, ICMP, TCP, and DNS-based exchanges.

Defenders can access YARA rules for detecting Guidloader, PathLoader, and FinalDraft through Elastic’s security reports.