Security researchers at Elastic Security Labs have uncovered a sophisticated new malware family dubbed FinalDraft, which employs an innovative technique to conceal its command-and-control (C2) communications through Microsoft Outlook draft folders. This advanced persistent threat demonstrates how cybercriminals are increasingly leveraging legitimate cloud services to evade detection while conducting malicious operations.
Technical Analysis: Infection Chain and Core Components
The attack sequence begins with PathLoader, a compact executable that serves as the initial infection vector. Upon execution, PathLoader deploys shellcode that facilitates the installation of the primary payload – FinalDraft malware. The malware’s distinctive feature is its utilization of Microsoft Graph API to establish covert communications through Outlook draft messages, effectively blending malicious traffic with legitimate Microsoft 365 communications.
Advanced Command and Control Infrastructure
FinalDraft implements a sophisticated C2 mechanism that leverages OAuth authentication to access Microsoft Graph API. The malware stores authentication tokens in the Windows Registry and orchestrates its communications through a structured draft message system. Threat actors transmit commands via drafts prefixed with “r_”, while command execution responses are stored in new drafts marked with “p_”. The automatic deletion of these drafts post-execution significantly complicates detection efforts.
Cross-Platform Capabilities and Targeted Operations
Researchers have identified a Linux variant of FinalDraft that supports multiple communication protocols, including HTTP/HTTPS, UDP, ICMP, TCP, and DNS. This versatility demonstrates the malware’s advanced capabilities and broad targeting potential. The discovery of the associated cyber espionage campaign REF7707, targeting government entities in South America and organizations in Southeast Asia, highlights the serious nature of this threat.
Detection and Mitigation Strategies
During their investigation, researchers also discovered GuidLoader, a new memory-resident loader capable of executing encrypted payloads directly in RAM. To combat these threats, Elastic Security Labs has released comprehensive YARA rules for detecting all components of the malware suite, including GuidLoader, PathLoader, and FinalDraft variants.
The emergence of FinalDraft represents a significant evolution in malware tradecraft, highlighting the growing sophistication of threat actors in abusing legitimate cloud services. Organizations are strongly advised to implement robust monitoring of Microsoft 365 services, deploy the published YARA rules, and maintain strict access controls on cloud service applications. Regular security audits and employee training on identifying suspicious cloud activity are essential components of a comprehensive defense strategy against these advanced threats.
