- Security researchers detect a new piece of malware called finaldraft
- Get commands from an email written
- Data can be extended, running Powershell and more
Cybersecurity researchers of elastic security laboratories have discovered a new piece of malware that abuses the erase of email in Outlook for the exfiltration of data, the execution of Powershell and more.
Malware is part of a broader set of tools used in a campaign called REF7707 aimed at government organizations in South America and Southeast Asia.
According to the researchers, the tools set includes a couple of tools: a charger called Rathloader, the malware called Final Draft and multiple utilities after exploitation.
Accelerating
The attack begins with the victim somehow exposed to the charger. While researchers do not detail how it happens, it is safe to assume the usual channels: Phishing, Social Engineering, False cracks for commercial software and the like.
The Finaldraft Final Charger, which establishes a communications channel through the Microsoft Graph API. It does it through the use of Outlook email drafts. It proceeds to receive a Microsoft Token Oouth, using an update token integrated in its configuration. It stores it in the Windows Registry, allowing persistent access of cybercriminals to the compromised end point.
The malware allows attackers to make a complete strip of commands, including the exfiltration of confidential data, the creation of undercover network tunnels, manipulation of local archives, execution of Powershell and more. After making these commands, malware eliminates them, which makes the analysis even more difficult.
The researchers found malware on a computer belonging to a Ministry of Foreign Affairs in South America. However, after analyzing its infrastructure, Elastic has also seen links with the victims in Southeast Asia. The campaign is aimed at Windows and Linux devices.
The attack was not linked to any known threat actor, so we do not know if it was a work sponsored by the State or not. However, since the objective seems to be espionage, it is safe to assume state-state attacks. The in -depth analysis, including detection mechanisms, mitigations and yara rules, can be found in this link.
