2025-02-25 21:37:37 Pacfic
FinalDraft Malware Uses Outlook Drafts for C2 - 11d
A new malware family, dubbed FinalDraft, has been discovered using Microsoft Outlook drafts for command-and-control (C2) communication. This covert method allows the malware to blend into typical Microsoft 365 traffic, making it harder to detect. The malware has been used in attacks against a ministry in a South American country and was identified by Elastic Security Labs during an investigation into the REF7707 intrusion set.
The FinalDraft toolkit includes a loader, named PathLoader, a backdoor, and multiple submodules. PathLoader is a lightweight Windows PE executable that downloads AES-encrypted shellcode from attacker-controlled infrastructure, decrypts it, and executes it in memory, avoiding static analysis through API hashing and obfuscation. FinalDraft itself is a 64-bit malware written in C++ focused on data exfiltration and process injection, exploiting Outlook's mail drafts as a C2 channel. The malware creates session draft emails, reads and deletes command request drafts generated by the attackers, executes commands, and writes responses as draft emails.
ImgSrc: mnwa9ap4czgf-u1335.pressidiumcdn.com
References:
- cyberinsider.com - Elastic Security Labs has identified a new malware family named FinalDraft, that uses Microsoft’s Graph API to communicate through Outlook email drafts, allowing attackers to bypass traditional - 11d
- @VirusBulletin - infosec.exchange post on finaldraft - 11d
- The Hacker News - FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux - 11d
- @BleepingComputer - A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country. - 8d
- Malware Archives ? Cybersecurity News - SecurityOnline article detailing how FinalDraft malware uses Outlook drafts for covert communication. - 8d
- www.bleepingcomputer.com - BleepingComputer news article on FinalDraft malware abusing Outlook email drafts for command-and-control. - 8d
- securityonline.info - In a recent investigation into the REF7707 intrusion set, Elastic Security Labs has identified a new malware family The post appeared first on . - 8d
- @youranonriots - A new malware called FinalDraft has been using email drafts for command-and-control communication in attacks against a ministry in a South American country. - 6d
Classification:
- HashTags: FinalDraftMalware MicrosoftOutlook StealthyCommunication
- Company:
- Target: South American ministry
- Attacker:
- Product: Microsoft Outlook
- Feature:
- Type: Malware
- Severity: Medium