Summary: A newly identified malware, FinalDraft, has been exploiting Outlook email drafts for command-and-control communication in a cyber-espionage campaign targeting a South American ministry. Discovered by Elastic Security Labs, it employs a range of tools including PathLoader and has capabilities for data exfiltration and process injection while maintaining stealth by blending into regular Microsoft 365 traffic. The campaign, known as REF7707, has implications beyond the target nation, indicating a potential broader operation involving Southeast Asian victims.
Affected: South American foreign ministry and Southeast Asian organizations
Keypoints :
- FinalDraft malware uses Outlook drafts for covert command-and-control communication to avoid detection.
- The malware supports 37 commands, enabling operations such as data exfiltration, pass-the-hash attacks, and process injection.
- Elastic Security Labs discovered operational flaws in the campaign that led to the exposure of the attackers, indicating advanced capabilities along with lapses in operational security.