You've Got Malware: FINALDRAFT Hides in Your Drafts

Feb. 14, 2025, 3:46 p.m.

Description

While investigating REF7707, Elastic Security Labs discovered a new family of previously unknown malware that leverages Outlook as a communication channel via the Microsoft Graph API. This post-exploitation kit includes a loader, a backdoor, and multiple submodules that enable advanced post-exploitation activities.

External References

https://www.elastic.co/security-labs/finaldraft
https://otx.alienvault.com/pulse/67af647321feb1b029f898de
Tags
linux
powershell
shell
lsass
mimikatz
finaldraft
ref7707
pathloader
2025-02-14
elf
microsoft graph
outlook
elf variant
ntlm hash
pe
updatetask

Date

  • Created: Feb. 14, 2025, 3:42 p.m.
  • Published: Feb. 14, 2025, 3:42 p.m.
  • Modified: Feb. 14, 2025, 3:46 p.m.

Indicators

  • 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf
  • 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c
  • 39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530
  • https://poster.checkponit.com:443/nzoMeFYgvjyXK3P;https://support.fortineat.com:443/nzoMeFYgvjyXK3P;*|*
  • http://poster.checkponit.com/nzoMeFYgvjyXK3P
  • update.hobiter.com
  • support.vmphere.com
  • support.fortineat.com
  • poster.checkponit.com
Download all indicators here!

Attack Patterns

  • FINALDRAFT
  • T1080
  • T1550
  • T1497
  • T1095
  • T1127
  • T1070
  • T1106
  • T1055
  • T1134
  • T1049
  • T1562
  • T1059