A newly identified malware, FinalDraft, has been leveraging Microsoft Outlook email drafts for command-and-control (C2) communication in targeted cyberattacks against a South American foreign ministry.
Elastic Security Labs uncovered the attacks, which deploy an advanced malware toolset comprising a custom loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities. By exploiting Outlook drafts instead of sending emails, the malware ensures stealth, allowing threat actors to conduct data exfiltration, proxying, process injection, and lateral movement while minimizing detection risks.
The attack initiates with the deployment of PathLoader—a lightweight executable that runs shellcode, including the FinalDraft malware, retrieved from the attacker's infrastructure. PathLoader incorporates security mechanisms such as API hashing and string encryption to evade static analysis.
Stealth Communication via Outlook Drafts
FinalDraft facilitates data exfiltration and process injection by establishing communication through Microsoft Graph API, transmitting commands via Outlook drafts. The malware retrieves an OAuth token from Microsoft using a refresh token embedded in its configuration and stores it in the Windows Registry for persistent access. By leveraging drafts instead of sending emails, it seamlessly blends into Microsoft 365 network traffic, evading traditional detection mechanisms.
Commands from the attacker appear in drafts labeled r_, while responses are stored as p_. Once executed, draft commands are deleted, making forensic analysis significantly more challenging.
FinalDraft supports 37 commands, enabling sophisticated cyber-espionage activities, including:
- Data exfiltration: Extracting sensitive files, credentials, and system information.
- Process injection: Running malicious payloads within legitimate processes such as mspaint.exe.
- Pass-the-Hash attacks: Stealing authentication credentials to facilitate lateral movement.
- Network proxying: Establishing covert network tunnels.
- File operations: Copying, deleting, or modifying files.
- PowerShell execution: Running PowerShell commands without launching powershell.exe.
Elastic Security Labs also detected a Linux variant of FinalDraft, which utilizes Outlook via REST API and Graph API while supporting multiple C2 communication channels, including HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based exchanges.
The research team attributes the attack to a campaign named REF7707, which primarily targets South American governmental entities. However, infrastructure analysis indicates links to Southeast Asian victims, suggesting a larger-scale operation. The investigation also revealed an additional undocumented malware loader, GuidLoader, designed to decrypt and execute payloads in memory.
Further examination showed repeated attacks on high-value institutions via compromised telecommunications and internet infrastructure in Southeast Asia. Additionally, a Southeast Asian university’s public-facing storage system was found hosting malware payloads, potentially indicating a prior compromise or a foothold in a supply chain attack.
Security teams can utilize YARA rules provided in Elastic’s reports to detect and mitigate threats associated with GuidLoader, PathLoader, and FinalDraft. The findings underscore the increasing sophistication of cyber-espionage tactics and the need for robust cybersecurity defenses.