A new malware named FINALDRAFT targets Outlook users

Introduction

Researchers from Elastic Security Labs recently investigated and discovered a new type of malware targeting governments. This malware includes a loader and backdoor with features such as using the Microsoft Graph API to connect to C2 servers, allowing control of infected servers… is called FINALDRAFT.

Investigation and research

First, a Windows PE file called PATHLOADER, which is very small at only 206kb, is executed on the victim's machine. Inside this file, there are configurations that include Base64 encoded C2 server information, which, when decoded, is:

https://poster.checkponit.com:443/nzoMeFYgvjyXK3P;https://support.fortineat.com:443/nzoMeFYgvjyXK3P;*|*

It can be seen that these two domains have been typosquatted to deceive users into thinking they belong to the major security companies Checkpoint and Fortinet. The PATHLOADER file also uses techniques like API Hashing and String Obfuscation to prevent investigators from analyzing it. When PATHLOADER is executed, it connects to the C2 server and downloads and executes a shellcode that has been encrypted with AES and Base64. The purpose of this shellcode is to download the FINALDRAFT malware.

FINALDRAFT is a 64-bit malware written in C++ that focuses on data extraction and process injection. When this malware runs, it has several communication methods. Among them is the abuse of Outlook's mail service through the Microsoft Graph API, similar to a technique discovered in a previous 2023 campaign using SIESTAGRAPH, also researched by Elastic Security Labs. The Microsoft Graph API token obtained by FINALDRAFT uses https://login.microsoftonline.com/common/oauth2/token.The refresh token used is located in the setup section.

After the token is refreshed, it will be stored in the Registry based on whether the user has Administrator rights:

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UUID\<uuid_from_configuration>

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UUID\<uuid_from_configuration>

Then, the malware will perform:

• Create a draft email if one does not exist

• Read and delete command request email drafts created by the C2

• Process commands

• Write command response emails as drafts for each processed command

• Repeat the above steps

FINALDRAFT has about 37 command handlers, most of which feature process transmission, file manipulation, and network proxy capabilities. This malware also has the function of collecting user machine information, including the computer name, username, internal and public IP addresses, and information about running processes. The public IP address information is collected by the malware through IP lookup services:

• hxxps://ip-api.io/json

• hxxps://ipinfo.io/json

• hxxps://myexternalip.com/raw

• hxxps://ipapi.co/json/

• hxxps://jsonip.com/

Additionally, with the process injection feature, the malware can inject into a running process or create a hidden process to inject into, depending on the parameters in the command. The running processes can be mspaint.exe, conhost.exe… or create a Windows named pipe that functions to write, read, create email drafts on Outlook, and send data to the C2 server.

FINALDRAFT has several methods to connect to the C2 server, including named pipe, TCP, and UDP listener. Before creating a TCP listener server, the malware will add a rule to the Windows Firewall and will remove this rule when the machine is shut down, using COM, INetFwPolicy2, and INetFwRule. If the malware establishes a TCP connection, it will send a magic value "\x12\x34\xab\xcd\xff\xff\xcd\xab\x34\x12" and wait to receive the same value in response to start sending data.

The malware also has the ability to inject modules such as ipconfig.x64.dll (Network reconnaissance), Psloader.x64.dll (Execute PowerShell commands), pnt.x64.dll (Pass-the-Hash toolkit, used to steal NTLM hash).

Some ELF variants of FINALDRAFT also have communication channels to the C2 server through protocols like HTTP/HTTPS, Reverse UDP, ICMP, Bind TCP, Reverse TCP, DNS, and Outlook via REST API and Graph API. The servers are named using typosquatting of well-known companies like VMSphere. C2 server information is as follows:

support.vmphere.com
update.hobiter.com

Additionally, this version can execute commands through popen and has the ability to delete itself.

Recommendations

Researchers from Elastic Defend Labs and FPT Threat Intelligence offer the following recommendations:

• Implement monitoring measures to quickly detect malware attacks.

• Establish rules to detect signs of unusual activity, such as process injection techniques, shellcode execution, and malware module injection into regular processes.

• Update the IOCs below to prevent attacks in a timely manner.

IOC

Reference

• You've Got Malware: FINALDRAFT Hides in Your Drafts — Elastic Security Labs

• New FinalDraft malware abuses Outlook mail service for stealthy comms

• FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux