Elastic Security Labs researchers have discovered “a new family of malware” that exploits Microsoft Outlook. The malware, dubbed FinalDraft, is bundled with several other attack tools in a sophisticated cyberattack. The attack requires “a loader, a backdoor, and several submodules that enable advanced post-exploitation activities.” Based on the modus operandi and tools used, researchers believe that “the developers are well-organized”and are focused on espionage.
First, the attackers must find a way to convince the target to install PathLoader, another malware program designed to infect Windows computers. The virus works by downloading and executing code from a remote server.
Within this malicious code is the FinalDraft malware. Used in synergy with PathLoader, the virus is able to intrude discreetly into a system. PathLoader relies on a myriad of advanced tactics to evade antivirus detection.
When Microsoft Outlook is used as a messaging service for malware
Once deployed, the virus will create a unique identifier for the current session, which allows it to track its activity precisely. Then, it exploits Microsoft Graph, an interface that allows interaction with Microsoft services, to take control of Outlook. Graph exploitation involves obtaining an OAuth token, the protocol that allows applications to access protected resources without having to ask the user for the password. This is not the first time that cybercriminals have used the protocol as part of their cyberattacks against Windows.
Through this interface, it will be possible to create drafts within the Outlook messaging system. These drafts will be used to communicate with the remote server. By using drafts rather than emails, FinalDraft once again manages to evade Windows' protection mechanisms.
As you will have understood, Outlook is used as a communication channel between hackers and the virus. The attacker's commands are placed in draft emails called "r_", while the responses are stored in new drafts called "p_". After executing the commands, the draft commands are deleted, which hinders antiviruses. That’s why Elastic Security Labs believes that FinalDraft “hides in your drafts.”
Data and file theft
On the hackers’ orders, it will then steal and send sensitive information from the computer to the remote server. The malware mainly targets files stored on the PC, credentials, and system information. This information includes “computer name, account username, internal and external IP addresses, and details about process execution,” the report states. This is where the trap closes, unbeknownst to the PC owner. According to Elastic Security Labs, the virus supports about thirty commands, including data exfiltration or file deletion.
As the researchers’ report explains, there is a variant of FinalDraft that attacks computers running Linux. According to the experts’ investigation, the virus is being actively exploited as part of an espionage campaign, which has affected, among other things, a South American Ministry of Foreign Affairs and entities located in Southeast Asia. In some attacks, hackers have exploited vulnerabilities in telecommunications operators and Internet infrastructure providers.
Source: Elastic Security Labs
0 Comments