Elastic Security Labs has uncovered a new malware strain, named FINALDRAFT, that exploits Microsoft Outlook and the Microsoft Graph API for covert command-and-control (C2) communications.
This advanced malware, discovered during an investigation into a foreign ministry breach, represents a growing trend of cybercriminals abusing legitimate cloud services to mask malicious activities.
The campaign, attributed to the threat cluster REF7707, highlights the increasing sophistication of espionage-oriented cyber threats.
Technical Details of FINALDRAFT
FINALDRAFT is a 64-bit remote administration tool (RAT) written in C++ and deployed alongside a custom loader, PATHLOADER.
PATHLOADER & FINALDRAFT execution diagram
The loader retrieves encrypted shellcode from external infrastructure, which is decrypted and executed to initiate the malware.
Once operational, FINALDRAFT uses the Microsoft Graph API to interact with Outlook’s draft email folder for C2 purposes.
Commands are received via email drafts created by attackers, while responses are sent back as new drafts effectively bypassing traditional email monitoring mechanisms.
The malware boasts 37 command handlers that enable a wide range of malicious activities, including process injection, file manipulation, and network proxying.
It also supports advanced techniques such as executing PowerShell commands without invoking “powershell.exe” and leveraging stolen NTLM hashes for lateral movement across networks.
To evade detection, FINALDRAFT employs obfuscation methods like string encryption and API hashing.
Abuse of Microsoft Graph API
The Microsoft Graph API provides developers with seamless access to various Microsoft 365 services, including Outlook and OneDrive.
Cybercriminals have increasingly exploited this API due to its integration with legitimate services, enabling them to blend malicious activities with normal traffic.
In FINALDRAFT’s case, OAuth tokens are used to authenticate with the Graph API, establishing persistent communication through email drafts.
This technique is not unique; similar abuse has been observed in previous malware campaigns like SIESTAGRAPH and BirdyClient.
Such tactics complicate detection efforts as they leverage trusted cloud services for malicious purposes.
Elastic Security Labs also identified a Linux variant of FINALDRAFT, indicating cross-platform capabilities.
While less feature-rich than its Windows counterpart, the Linux version supports multiple C2 transport protocols such as HTTP/HTTPS, reverse UDP, and Outlook via the Graph API.
This suggests ongoing development aimed at expanding its operational reach.
The discovery of FINALDRAFT underscores the evolving nature of cyber threats that exploit legitimate APIs for espionage.
Organizations are urged to implement robust defenses against such attacks by:
- Monitoring anomalous activity in email drafts and OAuth token usage.
- Enforcing strict access controls for cloud services.
- Deploying advanced endpoint detection tools capable of identifying obfuscated malware behavior.
As attackers continue to innovate by leveraging trusted platforms like Microsoft Graph API, security teams must remain vigilant to counter these sophisticated threats effectively.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Data Breach at Legends International Exposes Customer Information")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical AnythingLLM Vulnerability Enables Remote Code Execution")
