do son 
Source: Elastic Security Labs
In a recent investigation into the REF7707 intrusion set, Elastic Security Labs has identified a new malware family leveraging Microsoft Outlook drafts as a covert communication channel via the Microsoft Graph API. Dubbed FINALDRAFT, this post-exploitation toolkit consists of a loader, a backdoor, and multiple submodules designed for advanced cyberespionage operations.
The Elastic team discovered both Windows and Linux variants of the malware, with evidence suggesting long-term development and significant engineering efforts. “The completeness of the tools and the level of engineering involved suggest that the developers are well-organized,” Elastic Security Labs noted, adding that “the extended time frame of the operation and evidence from our telemetry suggest it’s likely an espionage-oriented campaign.”
FINALDRAFT malware is deployed via PATHLOADER, a lightweight Windows PE executable (206 KB) that acts as a first-stage loader. It downloads AES-encrypted shellcode from attacker-controlled infrastructure, decrypts it, and executes it in memory. The malware avoids static analysis through API hashing, obfuscation, and sandbox evasion techniques.
Elastic Security Labs highlighted how PATHLOADER’s embedded configuration included two typosquatted domains mimicking security vendors:
- poster.checkponit[.]com (a deceptive imitation of Check Point)
- support.fortineat[.]com (mimicking Fortinet)
This deceptive tactic aims to evade detection and blend malicious traffic with legitimate security vendor activity.
FINALDRAFT is a 64-bit malware written in C++ with a strong focus on data exfiltration and process injection. It operates by loading an encrypted configuration, deriving a session ID, and interacting with a command-and-control (C2) server through Outlook drafts.
“The session ID used for communication between FINALDRAFT and C2 is generated by creating a random GUID, which is then processed using the Fowler-Noll-Vo (FNV) hash function,” the report explains.
A standout feature of FINALDRAFT is its ability to exploit Outlook’s mail drafts as a C2 channel. Instead of direct network communication, the malware:
- Creates a session draft email if one does not already exist.
- Reads and deletes command request drafts generated by the attackers.
- Executes commands, such as process injection, file manipulation, and network proxying.
- Writes responses as draft emails, ensuring attackers can retrieve results without raising red flags.
This approach minimizes network traffic footprints and makes detection significantly more challenging for traditional security solutions.
FINALDRAFT includes 37 command handlers, allowing it to execute process injection, TCP/UDP proxying, file manipulation, and privilege escalation. Notably, the malware’s process injection techniques rely on VirtualAllocEx, WriteProcessMemory, and RtlCreateUserThread API calls.
“The target process is either an executable path provided as a parameter to the command or defaults to mspaint.exe or conhost.exe as a fallback,” the report states.
In addition to Windows capabilities, an ELF variant of FINALDRAFT was also identified, supporting multiple C2 transport protocols beyond Outlook drafts, including:
- HTTP/HTTPS
- Reverse UDP
- ICMP & Bind TCP
- Reverse TCP & DNS
This suggests cross-platform adaptability, making FINALDRAFT a versatile tool for attackers targeting both Windows and Linux environments.
Elastic Security Labs strongly suspects that FINALDRAFT is part of a larger espionage campaign. The malware’s sophisticated design, persistence techniques, and reliance on stealthy communication methods suggest a well-funded and highly capable adversary.
Security researchers urge organizations to monitor Outlook API activity, implement strong endpoint detection solutions, and block known C2 domains to mitigate risks.
