New FinalDraft malware abuses Outlook mail service for stealthy comms

A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country. The attack begins with the threat actor compromising the targer's system with PathLoader, a small executable file that executes shellcode, including the FinalDraft malware, retrieved from the attacker's infrastructure. The attacks were discovered by Elastic Security Labs and rely on a complete toolset that includes a custom malware loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities. Commands from the attacker are hidden in drafts (r_<session-id>) and responses are stored in new drafts (p_<session-id>). After execution, draft commands are deleted, making forensic analysis harder and detection more unlikely. After loading the configuration and generating a session ID, the malware establishes communication through Microsoft Graph API, by sending and receiving commands through Outlook email drafts. REF7707 is a cyber-espionage campaign focused on a South American foreign ministry, but analysis of the infrastructure revealed links to Southeast Asian victims, suggesting a broader operation. Elastic Security Labs also observed a Linux variant of FinalDraft, which can still use Outlook via REST API and Graph API, as well as HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based C2 exchange. The abuse of Outlook, in this case, aims to achieve covert communications, allowing the attackers to perform data exfiltration, proxying, process injection, and lateral movement while leaving minimal possible traces. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. FinalDraft retrieves an OAuth token from Microsoft using a refresh token embedded in its configuration, and stores it in the Windows Registry for persistent access. By using Outlook drafts instead of sending emails, it avoids detection and blends into normal Microsoft 365 traffic. Further analysis showed the attacker's repeated targeting of high-value institutions via compromised endpoints in telecommunications and internet infrastructure providers in Southeast Asia. Additionally, a Southeast Asian university’s public-facing storage system was used to host malware payloads, suggesting prior compromise or a supply chain foothold. The researchers present the attack campaign, dubbed REF7707, in a separate report that describes several opsec mistakes that are in contrast with the advanced intrusion set used, and which led to the attacker's exposure. YARA rules to help defenders detect Guidloader, PathLoader, and FinalDraft, are available at the bottom of Elastic’s reports [1, 2].

This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 17 Feb 2025 00:05:09 +0000