CyberSecurity news
FlagThis
@cyberinsider.com
//
A new malware family, dubbed FinalDraft, has been discovered using Microsoft Outlook drafts for command-and-control (C2) communication. This covert method allows the malware to blend into typical Microsoft 365 traffic, making it harder to detect. The malware has been used in attacks against a ministry in a South American country and was identified by Elastic Security Labs during an investigation into the REF7707 intrusion set.
The FinalDraft toolkit includes a loader, named PathLoader, a backdoor, and multiple submodules. PathLoader is a lightweight Windows PE executable that downloads AES-encrypted shellcode from attacker-controlled infrastructure, decrypts it, and executes it in memory, avoiding static analysis through API hashing and obfuscation. FinalDraft itself is a 64-bit malware written in C++ focused on data exfiltration and process injection, exploiting Outlook's mail drafts as a C2 channel. The malware creates session draft emails, reads and deletes command request drafts generated by the attackers, executes commands, and writes responses as draft emails.
ImgSrc: mnwa9ap4czgf-u1
References :
The FinalDraft toolkit includes a loader, named PathLoader, a backdoor, and multiple submodules. PathLoader is a lightweight Windows PE executable that downloads AES-encrypted shellcode from attacker-controlled infrastructure, decrypts it, and executes it in memory, avoiding static analysis through API hashing and obfuscation. FinalDraft itself is a 64-bit malware written in C++ focused on data exfiltration and process injection, exploiting Outlook's mail drafts as a C2 channel. The malware creates session draft emails, reads and deletes command request drafts generated by the attackers, executes commands, and writes responses as draft emails.
ImgSrc: mnwa9ap4czgf-u1
Share:
References :
- cyberinsider.com: Elastic Security Labs has identified a new malware family named FinalDraft, that uses Microsoft’s Graph API to communicate through Outlook email drafts, allowing attackers to bypass traditional network monitoring.
- Virus Bulletin: infosec.exchange post on finaldraft
- The Hacker News: FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux
- BleepingComputer: A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country.
- securityonline.info: SecurityOnline article detailing how FinalDraft malware uses Outlook drafts for covert communication.
- www.bleepingcomputer.com: BleepingComputer news article on FinalDraft malware abusing Outlook email drafts for command-and-control.
- securityonline.info: In a recent investigation into the REF7707 intrusion set, Elastic Security Labs has identified a new malware family The post appeared first on .
- Anonymous ???????? :af:: A new malware called FinalDraft has been using email drafts for command-and-control communication in attacks against a ministry in a South American country.
Classification:
- HashTags: #FinalDraftMalware #MicrosoftOutlook #StealthyCommunication
- Target: South American ministry
- Product: Microsoft Outlook
- Malware: FinalDraft
- Type: Malware
- Severity: Medium