The REF7707 campaign, targeting a South American nation’s Foreign Ministry, employs novel malware including FINALDRAFT, GUIDLOADER, and PATHLOADER. Despite showcasing advanced tactics, the attackers demonstrated poor operational security. The malware utilized common LOLBins for execution and relied heavily on cloud services for command and control, complicating detection efforts. Affected: South American Foreign Ministry, Southeast Asia, Cybersecurity Sector
Keypoints :
- The REF7707 campaign targets the Foreign Ministry of a South American nation.
- Utilizes novel malware such as FINALDRAFT, GUIDLOADER, and PATHLOADER.
- FINALDRAFT has variants for both Windows and Linux.
- Employs uncommon LOLBins like Microsoft’s certutil for executing tasks.
- Weak operational security exposed additional malware and unrelated infrastructure.
- Heavy reliance on cloud services for command and control operations.
- The attackers showcased tactical oversights that hindered their effectiveness.
- The campaign demonstrates a mix of sophisticated targeting and poor campaign management.
MITRE Techniques :
- TA0001 – Initial Access: Utilized LOLBin (certutil) to download files.
- TA0003 – Execution: Leveraged fontdrvhost.exe and config.ini for executing shellcode.
- TA0004 – Persistence: Created Scheduled Task to maintain access via CDB.exe.
- TA0005 – Defense Evasion: Used cloud services to hide command and control activities.
- TA0007 – Discovery: Executed scripts to extract sensitive information from the system and network.
- TA0008 – Lateral Movement: Employed WinrsHost.exe for lateral movement using valid credentials.
Indicator of Compromise :
- [SHA-256] 39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530
- [SHA-256] 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c
- [Domain Name] poster.checkponit[.]com
- [Domain Name] support.fortineat[.]com
- [IP Address] 47.83.8.198
Full Story: https://www.elastic.co/security-labs/fragile-web-ref7707
Views: 24
简体中文
Nederlands
Français
Bahasa Indonesia
日本語
Português