The Silent Threat FINALDRAFT Malware in Your Drafts

Summary

Cyble Research Intelligence Labs recently identified an intriguing discovery by Elastic Security Labs involving an advanced post-exploitation toolkit used in a campaign named REF7707. This sophisticated toolkit leverages Microsoft Outlook and the Microsoft Graph API as communication channels for Command and Control (C2) operations. It comprises several components, including a loader (PATHLOADER), a backdoor (FINALDRAFT), and a variety of modular extensions that enhance its capabilities, such as process injection, data exfiltration, and network proxying.

Notably, the REF7707 campaign targets both Windows and Linux environments, reflecting a significant level of cross-platform development and adaptability. The existence of multiple versions across different operating systems suggests ongoing development and refinement. Given the complexity and structured engineering of these tools, the campaign is likely part of a statesponsored espionage operation rather than being financially motivated.

Technical Details

A detailed investigation into REF7707 and the malware families PATHLOADER and FINALDRAFT suggests that this operation is highly sophisticated and espionage-focused. The following indicators strongly point to an Advanced Persistent Threat (APT) group.

PATHLOADER

PATHLOADER is a lightweight Windows executable (~206 KB) designed to download and execute encrypted shellcode from external servers. This tool, combined with a second-stage implant called FINALDRAFT, appears to be part of a targeted attack on sensitive environments. Our analysis recovered and decrypted the shellcode from PATHLOADER, leading to the discovery of FINALDRAFT, which has not been publicly reported before.

Configuration & Network Communication

PATHLOADER’s configuration is embedded in the .data section of the binary, storing commandand-control (C2) domains. Once decoded, it reveals two typosquatted domains resembling security vendors:

● poster.checkponit[.]com

● Support.fortineat[.]com

PATHLOADER communicates with these domains to download shellcode via HTTPS GET requests. The downloaded shellcode is AES-encrypted, with the URL path serving as the decryption key. Obfuscation & Evasion Techniques

PATHLOADER implements multiple anti-analysis techniques. It uses Fowler–Noll–Vo (FNV) hashing for API function resolution, making static analysis more difficult. String obfuscation is performed using SIMD instructions and XMM registers, increasing complexity for analysts. Despite this, a logging string for WinHttpSendRequest error codes remains unencrypted. For evasion, PATHLOADER delays execution using GetTickCount64 and Sleep functions to avoid sandbox detection. Once executed, the malware decrypts and loads the shellcode into memory, modifies the memory protection to allow execution, and calls the shellcode’s entry point. This shellcode then deploys the next-stage implant, FINALDRAFT. In summary, PATHLOADER is a stealthy downloader that uses advanced evasion and obfuscation techniques to deliver FINALDRAFT, a previously unreported malware implant, to compromised systems.

FINALDRAFT

FINALDRAFT is a 64-bit malware written in C++ designed for data exfiltration and process injection. It has a core component and additional modules that are injected into processes, with all communication directed to a command-and-control (C2) server. The malware starts by decrypting its configuration and generating a session ID using either the Windows Product ID or a string after the encrypted data. The configuration includes communication methods, AES keys for encryption, and a Pastebin URL.

FINALDRAFT communicates with the C2 server primarily through the Microsoft Graph API by creating draft emails in Outlook. These emails are used to send and receive commands, with messages encrypted and encoded in Base64. The malware includes 37 command handlers for various tasks like process injection, file manipulation, and forwarding data through TCP, UDP, and named pipes. It also features modules for network enumeration, PowerShell execution without launching powershell.exe, and Pass-the-Hash attacks for lateral movement.

An ELF (Linux) version of FINALDRAFT was found with additional C2 communication options such as HTTP, HTTPS, ICMP, and DNS. This version can execute shell commands and collect system information but does not support process injection. Older FINALDRAFT versions use Outlook or HTTP for communication and have fewer commands. These samples show the malware evolving over time, with domains impersonating legitimate vendors like VMware and Fortinet. FINALDRAFT's modular design and multiple communication methods make it a versatile tool for cyber espionage.

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

● Deploy advanced EDR solutions that can detect unusual process behaviors, unauthorized process injections, and abnormal network communications. Continuous monitoring of endpoints can help identify and block FINALDRAFT’s activities early.

● Enable MFA for all critical accounts, especially for services like Microsoft Graph API and remote access. This will reduce the likelihood of unauthorized access, even if credentials are compromised through techniques like Pass-the-Hash attacks.

● Ensure that all software, including operating systems and applications, is kept up to date with the latest security patches. FINALDRAFT exploits vulnerabilities in outdated systems, so timely updates can help prevent exploitation.

Conclusion

The FINALDRAFT malware represents a highly sophisticated and modular tool for cyber espionage, utilizing multiple communication channels and advanced techniques like process injection and Pass-the-Hash attacks. Its ability to exfiltrate data, manipulate files, and maintain persistence across systems makes it a significant threat. With both Windows and Linux variants, FINALDRAFT showcases its adaptability and persistence in targeting a wide range of environments.