Outlook Mail Service Hijacked by FinalDraft Malware for Covert Communications

A newly discovered malware named FinalDraft is leveraging Outlook email drafts for covert command-and-control (C2) communication. The malware has been identified in attacks against a ministry in a South American country. Security researchers at Elastic Security Labs uncovered this sophisticated attack, which involves a complex toolset, including a custom malware loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities.

The use of Outlook drafts for C2 communication allows the malware to blend into normal Microsoft 365 traffic while evading traditional detection methods. This method ensures minimal traces are left behind, making forensic analysis and mitigation more challenging for defenders.

Attack Chain

The attack begins with the initial compromise of the target’s system using PathLoader, a lightweight executable designed to execute shellcode. This shellcode then retrieves and executes the FinalDraft malware from the attacker’s infrastructure.

PathLoader employs several evasion techniques, including API hashing and string encryption, to avoid static analysis. Once executed, FinalDraft carries out various malicious activities, including data exfiltration, process injection, and network proxying.

Exploiting Outlook for Stealthy Communications

• FinalDraft establishes communication using Microsoft’s Graph API by interacting with Outlook email drafts rather than sending actual emails. The process involves:
• Retrieving an OAuth token from Microsoft using an embedded refresh token.
• Storing the OAuth token in the Windows Registry to maintain persistent access.
• Sending and receiving commands through Outlook drafts, using a naming convention that disguises them as normal system activity.
• The commands are stored in drafts with specific prefixes: r_ for incoming commands and p_ for responses. Once the commands are executed, the drafts are deleted, minimizing traces of the attack.

Capabilities of FinalDraft

• FinalDraft supports an extensive set of 37 commands, enabling the attacker to carry out various malicious activities, including:
• Data exfiltration: Extracting files, credentials, and system information.
• Process injection: Running payloads within legitimate processes such as mspaint.exe.
• Pass-the-Hash attacks: Stealing authentication credentials for lateral movement.
• Network proxying: Establishing covert network tunnels.
• File operations: Copying, deleting, or modifying files.
• PowerShell execution: Running PowerShell commands without launching powershell.exe.

Linux Variant of FinalDraft

Elastic Security Labs has also discovered a Linux variant of FinalDraft, which extends its communication methods beyond Outlook. This version can leverage:

REST API and Microsoft Graph API for Outlook-based C2.

HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based C2 communications.

This cross-platform capability increases the malware’s versatility and potential impact across different operating systems.

Operational Overview of FinalDraft

Elastic Security Labs has attributed these attacks to a cyber-espionage campaign named REF7707. While the primary target appears to be a South American foreign ministry, further analysis suggests links to additional victims in Southeast Asia. This indicates a broader, potentially state-sponsored operation.

One notable aspect of REF7707 is the attackers’ operational security (OpSec) mistakes. Despite the sophistication of the attack, researchers identified misconfigurations and exposed infrastructure that provided insight into the malware’s origin and capabilities.

Discovery of GuidLoader

During the investigation, researchers uncovered another previously undocumented malware loader named GuidLoader. This loader is designed to decrypt and execute payloads entirely in memory, further reducing forensic artifacts.

Infrastructure and Targeting

Elastic Security Labs identified a recurring pattern of high-value institution targeting through compromised endpoints in Southeast Asia. These included:

Telecommunications and internet infrastructure providers, suggesting a focus on gaining widespread network access.

A Southeast Asian university’s public-facing storage system, which was used to host malware payloads. This implies either a prior compromise of the university or its involvement in a supply chain attack.

Detection and Mitigation

To aid defenders, Elastic Security Labs has released YARA rules for detecting GuidLoader, PathLoader, and FinalDraft. These rules help identify malicious activity associated with these malware components and facilitate timely response and mitigation efforts.

Recommendations for Defense

• Organizations, particularly those handling sensitive government and institutional data, should implement the following measures to mitigate the risk of FinalDraft infections:
• Monitor Microsoft Graph API usage for unusual patterns, particularly in Outlook.
• Harden authentication mechanisms, including multi-factor authentication (MFA), to reduce OAuth token abuse.
• Audit and restrict registry access to prevent unauthorized token storage.
• Implement endpoint detection and response (EDR) solutions to monitor for process injection and unauthorized network activity.
• Apply YARA rules to detect and block FinalDraft, PathLoader, and GuidLoader before execution.

Conclusion

The discovery of FinalDraft and its stealthy abuse of Outlook drafts underscores the increasing sophistication of modern cyber-espionage campaigns. By leveraging legitimate Microsoft services for covert communication, attackers can evade detection and persist within networks for extended periods. Organizations must stay vigilant, adopt proactive threat-hunting strategies, and utilize the latest security intelligence to defend against such threats.

As cyber threats continue to evolve, the findings from Elastic Security Labs highlight the importance of continuous monitoring, adaptive security postures, and timely threat intelligence sharing to counter advanced persistent threats (APTs) like REF7707.