Follow on X RSS Feed
Malware

FINALDRAFT Malware Abuses Microsoft Services Stay One Step Ahead

Cybersec Sentinel

3 min read
FINALDRAFT Malware Abuses Microsoft Services Stay One Step Ahead

Threat Group: REF7707
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Abuse of Microsoft Graph API, Credential Theft via NTLM Hashes
Malware Used: FINALDRAFT, PATHLOADER
Threat Score: High (8.5/10) – Due to its advanced evasion techniques, use of legitimate cloud-based services for C2 communication, and its ability to compromise both Windows and Linux systems.
Last Threat Observation: February 14, 2025

Overview

The FINALDRAFT malware is a newly discovered Remote Access Trojan (RAT), identified in late 2024 during a cyber-espionage campaign attributed to REF7707, a sophisticated threat actor group. This malware specifically targets government entities, academic institutions, and telecommunications organizations across South America and Southeast Asia. FINALDRAFT is engineered to function as a powerful tool for cyber-espionage, capable of executing stealthy attacks with a high level of persistence and evasion.

Key Attributes of FINALDRAFT:

  • Written in C++, compiled as a 64-bit executable for both Windows and Linux.
  • Uses Microsoft Graph API for Command-and-Control (C2), effectively masking malicious traffic within legitimate cloud communications.
  • Executes process injection, file manipulation, credential theft, and network proxying.
  • Bypasses Windows Event Tracing (ETW) and Antimalware Scan Interface (AMSI) to evade detection.
  • Leverages Outlook's drafts folder to parse attacker commands and return execution results, avoiding direct internet communications that could trigger security alerts.
  • Capable of self-deletion in the Linux variant to erase forensic evidence.

Recent News and Security Advisories

A new malware campaign involving FINALDRAFT was detected in November 2024, targeting a foreign ministry in South America, a university in Southeast Asia, and a telecommunications organization. REF7707 successfully infiltrated these organizations using stolen network credentials, which they leveraged to deploy the malware via Microsoft's certutil application and Windows Remote Management (WinRM) Remote Shell plugin.

Key observations:

  • REF7707 used valid credentials to distribute the PATHLOADER malware, which acts as a staging tool to execute FINALDRAFT.
  • The attackers demonstrated an extensive understanding of their targets' infrastructure, indicating prolonged reconnaissance before executing their attacks.
  • The use of legitimate Microsoft services (Graph API, Outlook, WinRM) made detection exceptionally difficult.

Technical Analysis of FINALDRAFT

1. Initial Infection & Execution

  • Entry Method: Although the initial infection vector remains unknown, indications suggest phishing emails, compromised credentials, or exploiting weak security controls played a role.
  • Staging: The PATHLOADER malware serves as an intermediary payload, retrieving the FINALDRAFT RAT from a remote server.
  • Execution: PATHLOADER decrypts FINALDRAFT’s shellcode and injects it into a trusted process, commonly mspaint.exe or svchost.exe.

2. Command-and-Control (C2) via Microsoft Graph API

  • FINALDRAFT leverages Microsoft Graph API for stealthy communications.
  • Method: The malware reads commands from the Outlook drafts folder of a compromised account and writes execution results back to a new draft email.
  • Benefit: This approach avoids traditional C2 traffic detection by blending malicious communications into standard email behavior.

3. Advanced Capabilities

  • Process Injection: Injects malicious code into legitimate processes (e.g., mspaint.exe), evading antivirus solutions.
  • File Manipulation: Reads, writes, deletes, and modifies files to disrupt operations or facilitate further compromise.
  • Network Proxying: Redirects network traffic through infected devices, making it harder to trace the attacker.
  • PowerShell Execution: Runs PowerShell commands without invoking powershell.exe, bypassing security monitoring tools.
  • Credential Theft: Steals NTLM hashes to move laterally across a network.
  • ETW and AMSI Evasion: Modifies APIs to bypass Windows event tracing and antivirus scanning mechanisms.
  • Self-Deletion: The Linux variant removes itself post-execution to hinder forensic investigation.

SIEM Queries for Detection

The following SIEM queries can be used to detect potential FINALDRAFT activity. You must customize these queries to fit your specific SIEM environment, setting appropriate indexes and source types.

1. Detect Suspicious Outlook Drafts Activity

index=<your_index> source=<your_source> event_type="email_drafts" content=*encoded_command*

2. Detect Process Injection into MSPaint

index=<your_index> source="sysmon" EventCode=8 TargetImage="C:\Windows\System32\mspaint.exe"

3. Detect Unusual Certutil Activity

index=<your_index> source="security" EventCode=4688 NewProcessName="C:\Windows\System32\certutil.exe"

Indicators of Compromise (IoCs)

FileHash-MD5

  • 54c4d47332ebc8bd2505d6e7638717bc
  • 764a838236f5dceb3d199059ad36311e
  • 92306905be5b717654d5b105cd506bdd

FileHash-SHA1

  • 2fdea656bf50277c8d728e1a005bf1e5157c68d0
  • c2e0559907bd721a050a9fee4448d062f5edf237
  • d79d5b7742dd848f35424df325610b2e8a8761eb

FileHash-SHA256

  • 39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530
  • 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c
  • 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf

URL

  • hxxp://poster[.]checkponit[.]com/nzoMeFYgvjyXK3P
  • hxxps://poster[.]checkponit[.]com[:443]/nzoMeFYgvjyXK3P
  • hxxps://support[.]fortineat[.]com[:443]/nzoMeFYgvjyXK3P

Hostname

  • poster[.]checkponit[.]com
  • support[.]fortineat[.]com
  • support[.]vmphere[.]com
  • update[.]hobiter[.]com

Conclusion

The FINALDRAFT malware presents a severe cybersecurity threat due to its stealthy communication techniques, advanced evasion mechanisms, and use in cyber-espionage campaigns. Despite its sophisticated nature, REF7707 has exhibited operational weaknesses, including poor obfuscation and inconsistent evasion practices, leaving opportunities for detection. Organizations must remain vigilant, deploy proactive defenses, and conduct regular security audits to mitigate the risks posed by FINALDRAFT.

Sources

  1. Elastic Security Labs - FINALDRAFT Malware Analysis
  2. The Hacker News - FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux
  3. AlienVault - Indicators of Compromise.