Today's cybersecurity headlines are brought to you by ThreatPerspective

New Malware Abuses Outlook for Stealthy Comms, Implications for Security

A new malware has been identified as using Outlook email drafts for stealthy communication with its victims. The FinalDraft malware leverages a comprehensive toolset to carry out various illicit activities. This discovery underscores the need for robust cybersecurity measures and highlights the importance of ongoing vigilance in safeguarding against emerging threats.

The world of cyber security has witnessed yet another sinister plot unfolding, courtesy of a new malware known as FinalDraft. This malicious software has been identified to be exploiting the Outlook email service in order to conduct stealthy command and control communication with its victims. The attack was first detected by Elastic Security Labs, a leading cybersecurity firm that has dedicated itself to uncovering and combating some of the most nefarious threats lurking in the digital realm.

The nature of this malware is such that it leverages a complete toolset comprising a custom-built malware loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities. This comprehensive arsenal enables the attackers to carry out a wide range of illicit activities, including data exfiltration, proxying, process injection, and lateral movement – all while leaving behind minimal traces for forensic investigators to follow.

The attack chain begins with the threat actor successfully compromising the target system through PathLoader, a small executable file that executes shellcode, including the FinalDraft malware, retrieved from the attacker's infrastructure. This malware incorporates several advanced security measures designed to evade detection by static analysis and string encryption techniques.

One of the most intriguing aspects of this malware is its use of Outlook drafts for communication with command and control servers. Unlike traditional email systems that rely on the transmission of complete emails, FinalDraft exploits a vulnerability in Microsoft Graph API to send commands through email drafts designated as 'r_'. These commands are then stored in new drafts referred to as 'p_', effectively concealing their presence from unsuspecting users.

Another interesting aspect of this malware is its support for 37 various commands that it can execute on behalf of the attackers. Among these, some of the most critical ones include data exfiltration, process injection, pass-the-hash attacks, network proxying, and file operations – each contributing to a level of sophistication and versatility that makes FinalDraft an especially potent tool in the hands of malicious actors.

Interestingly, Elastic Security Labs also observed a Linux variant of FinalDraft that is capable of utilizing Outlook via REST API and Graph API, as well as HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based C2 exchange. This demonstrates an adaptation of the malware to target diverse platforms and environments, underscoring its potential for widespread impact.

Furthermore, the attack campaign dubbed REF7707 by Elastic Security Labs presents several opsec (operational security) mistakes that were contrary to the advanced level of intrusion employed by the attackers. These discrepancies inadvertently led to the attacker's exposure, serving as a stark reminder of the importance of vigilance and adherence to best practices in maintaining robust cybersecurity.

It is worth noting that REF7707 is primarily focused on a South American foreign ministry, though further analysis revealed links to Southeast Asian victims, suggesting a more extensive operation. Moreover, an investigation into the attacker's activities uncovered another previously undocumented malware loader called GuidLoader, capable of decrypting and executing payloads in memory.

Moreover, this attack campaign involved repeated targeting of high-value institutions via compromised endpoints in telecommunications and internet infrastructure providers in Southeast Asia. A notable example is a Southeast Asian university’s public-facing storage system that was utilized to host malware payloads, implying either prior compromise or a supply chain foothold.

Ultimately, the discovery of FinalDraft serves as a stark reminder of the ever-evolving nature of cyber threats and the imperative for organizations and individuals alike to remain vigilant in safeguarding their digital assets. As such, tools like YARA rules developed by Elastic Security Labs can prove invaluable in helping defenders detect malware entities such as Guidloader, PathLoader, and FinalDraft.

The rise of sophisticated threats like FinalDraft underscores the need for robust cybersecurity measures that can adapt to and counter even the most innovative attacks. By staying informed about emerging threats and adopting proactive security strategies, we can collectively mitigate their impact and create a safer digital landscape for all.