The FinalDraft malware has been linked to the notorious threat actor group REF7707. This group has conducted a sophisticated cyber-espionage campaign targeting entities across South America and Southeast Asia. Below is a detailed analysis of the campaign, its techniques, and its impact.
Overview of REF7707 Campaign
Targets and Scope
The REF7707 campaign primarily targeted:
- Foreign Ministry of an Unnamed South American Country: Aiming to gather sensitive diplomatic and political information.
- Telecommunications Entity in Southeast Asia: Focusing on infiltrating communication networks.
- University in Southeast Asia: Targeting academic and research data.
Initial Access and Deployment
PathLoader: The Initial Entry Point
The attack begins with the compromise of the target system using a custom malware loader named PathLoader. This loader is designed to download and execute encrypted shellcode from the attacker’s infrastructure. The downloaded shellcode includes the FinalDraft backdoor, which is then deployed on the compromised system.
Communication Mechanism
Microsoft Graph API for Stealthy C2
FinalDraft leverages the Microsoft Graph API to communicate with the attacker’s command-and-control (C2) server. This method is stealthy, as it blends in with legitimate Microsoft 365 traffic, making it difficult for traditional security solutions to detect. The communication process involves:
- Commands in Email Drafts: The attackers store commands in email drafts (r_), which are then retrieved by the malware.
- Responses in New Drafts: The malware executes the commands and stores the responses in new drafts (p_), which are accessed by the attackers.
Capabilities of FinalDraft
Data Exfiltration
FinalDraft is capable of stealing sensitive information from the compromised system. This includes personal data, credentials, documents, and any other valuable information.
Process Injection
The malware can inject malicious code into legitimate processes running on the system. This technique helps it evade detection by security software that may be monitoring for abnormal activities.
Network Proxying
FinalDraft can use the compromised system as a proxy to route network traffic. This allows the attackers to move laterally within the network and access other systems without being detected.
Lateral Movement
The malware supports commands for moving laterally within the network, enabling the attackers to compromise additional systems. This can lead to a widespread compromise of the target’s infrastructure.
Persistence Mechanism
OAuth Token for Continued Access
To maintain persistence, FinalDraft retrieves an OAuth token from Microsoft using a refresh token embedded in its configuration. This token is then stored in the Windows Registry, allowing the malware to maintain access even after system reboots or user logouts.
Linux Variant
Expanded Attack Surface
Elastic Security Labs discovered a Linux variant of FinalDraft, which further expands the attack surface. This variant can use various communication methods, including:
- Outlook via REST API and Graph API: Similar to the Windows variant, it uses email drafts for stealthy C2 communication.
- HTTP/HTTPS and Reverse UDP & ICMP: These methods allow for versatile network communication.
- Bind/Reverse TCP: This enables the establishment of direct communication channels with the attacker’s infrastructure.
- DNS-based C2 Exchange: Using DNS for command-and-control traffic to further evade detection.
Impact and Risks
Potential Consequences
The successful deployment and execution of FinalDraft malware can lead to several severe consequences, including:
- Espionage: Unauthorized access to sensitive political, military, and economic information.
- Network Disruption: Manipulation or shutdown of critical network components.
- Data Breach: Exfiltration of sensitive data, including personal information, research data, and proprietary information.
Mitigation Measures
To protect against FinalDraft and similar threats, organizations should implement the following best practices:
1. Apply Security Patches
Ensure that all software, particularly Microsoft products, is up-to-date with the latest security patches. Regular updates help protect against known vulnerabilities that malware like FinalDraft may exploit.
2. Implement Network Segmentation
Limit access to critical systems and restrict communication channels to trusted segments. Network segmentation helps contain the impact of a breach and prevents lateral movement.
3. Enable Monitoring and Alerts
Use intrusion detection systems (IDS) and continuous monitoring to detect suspicious activities. Set up alerts for unusual behavior, such as unexpected API calls or network traffic patterns.
4. Use Multi-Factor Authentication (MFA)
Enhance security by requiring multiple forms of verification for accessing sensitive systems. MFA adds an additional layer of security, making it more difficult for attackers to gain unauthorized access.
Final Thoughts
The discovery of FinalDraft highlights the evolving nature of cyber threats and the importance of robust cybersecurity measures. By understanding the techniques used by threat actors like REF7707 and implementing best practices, organizations can mitigate the risks associated with sophisticated malware and protect their sensitive information.
For more information, refer to the blog
