FINALDRAFT malware is a sophisticated cyber espionage tool that targets both Windows and Linux systems, exploiting Microsoft’s Graph API for stealthy command-and-control operations. Discovered in November 2024, this malware is linked to the REF7707 threat group, believed to have connections to China. Its ability to compromise various sectors, including government agencies, telecommunications, and educational institutions, makes it a significant threat.
You might wonder how FINALDRAFT infiltrates systems. It starts by using Microsoft’s certutil tool to download malicious files, allowing it to bypass traditional security measures. Once inside the network, it employs Windows Remote Management (WinrsHost.exe) for lateral movement, making it easier to traverse and infect other systems. To evade detection, it cleverly injects itself into processes like mspaint.exe, blending in with legitimate applications.
The communication methods used by FINALDRAFT are particularly alarming. It utilizes Outlook drafts via Microsoft Graph API for command-and-control communication, which makes its activities less detectable. This technique is further enhanced by evasion methods like NTLM hash impersonation and PowerPick for executing PowerShell commands without raising red flags. With 37 built-in command handlers, it can manipulate files, execute commands, and create covert network tunnels, reinforcing its capacity for espionage.
The Linux variant of FINALDRAFT also poses a serious threat. Found on VirusTotal, these ELF binaries demonstrate similar capabilities to their Windows counterparts. They can execute shell commands, delete themselves, and maintain command-and-control functionalities. Such versatility broadens the malware’s reach, with reports of ELF binaries uploaded from regions like Brazil and the U.S.
The geographic distribution of attacks underscores FINALDRAFT’s extensive impact. Targets have included a foreign ministry in South America, a telecom company in Southeast Asia, and a university in the same region. This diversity highlights the malware’s ability to strike various sectors, increasing the urgency for robust security measures. No organization is immune to these types of attacks, which emphasizes the need for comprehensive security assessments to protect sensitive data.
To protect against FINALDRAFT, implementing advanced endpoint security and network measures is crucial. Firewalls and intrusion prevention systems can help detect and block attacks. Additionally, email security protocols are vital for safeguarding against Graph API abuse and malicious commands.
Adopting a zero-trust approach can further enhance your defenses, ensuring that even if an attacker gains access, they’ll face significant barriers to carrying out their objectives. Staying informed and vigilant is key to thwarting this sophisticated threat.
