New FinalDraft Malware Leverages Outlook Drafts for Stealthy Cyber Espionage

Cybersecurity researchers from Elastic Security Labs have uncovered a sophisticated malware named FinalDraft that exploits Microsoft Outlook's draft email feature to conduct covert cyber espionage operations. The malware enables attackers to perform advanced post-exploitation activities while maintaining an extremely low profile.

The intricate attack chain begins with a custom malware loader called PathLoader, which executes shellcode retrieved from the attacker's infrastructure. PathLoader incorporates advanced protection mechanisms against static analysis, including API hashing and string encryption techniques.

PATHLOADER & FINALDRAFT execution diagram from Elastic Security labs

Once deployed, FinalDraft establishes communication through the Microsoft Graph API by sending and receiving commands via Outlook email drafts. The malware retrieves an OAuth token using a refresh token embedded in its configuration and stores it in the Windows Registry for persistent access. By utilizing draft emails instead of sending actual messages, the malware effectively blends into normal Microsoft 365 network traffic.

The malware supports an impressive array of 37 commands, enabling attackers to perform sophisticated operations such as data exfiltration, process injection, network proxying, and lateral movement. Notably, FinalDraft can inject payloads into legitimate processes like mspaint.exe, execute PowerShell commands without launching powershell.exe, and even conduct pass-the-hash attacks for credential theft.

Researchers discovered multiple variants of the malware, including a Linux version that supports additional communication protocols like HTTP/HTTPS, reverse UDP, ICMP, and DNS-based command and control exchanges. The Linux variant demonstrates the attackers' flexibility in targeting different computing environments.

The attack campaign, dubbed REF7707, appears to be a targeted cyber espionage operation focused on a South American foreign ministry. However, infrastructure analysis revealed potential links to victims in Southeast Asia, suggesting a broader operational scope.

The FinalDraft malware represents a significant advancement in stealthy communication techniques, leveraging legitimate software infrastructure to conduct malicious activities. Its ability to hide communication within Outlook drafts and support a wide range of post-exploitation capabilities makes it a particularly dangerous threat.

Elastic Security Labs recommends organizations implement robust monitoring and detection mechanisms, particularly focusing on unusual Microsoft Graph API activities and unexpected draft email behaviors. The researchers have also published YARA rules to help defenders detect and mitigate potential FinalDraft infections.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: