New Malware Attacks Target Microsoft Outlook, Enabling Stealth Seizing.

Security researchers have identified a new type of malware called FinalDraft, which exploits email drafts in Outlook to carry out various malicious actions, including data exfiltration and PowerShell execution. This malware is part of a broader toolkit used in a campaign known as REF7707, which appears to target government organizations in South America and Southeast Asia.

The toolkit involved includes a loader called PathLoader, the FinalDraft malware, and various post-exploitation utilities. The attack begins when the victim is exposed to the loader, although the researchers do not specify how this occurs. Common methods such as phishing, social engineering, or cracks of commercial software are presumed to be in use.

Once installed, FinalDraft establishes a communication channel via the Microsoft Graph API, using email drafts in Outlook. Through this process, it obtains an OAuth token from Microsoft by taking advantage of a refresh token embedded in its configuration, and stores it in the Windows Registry. This allows attackers to maintain persistent access to the compromised system.

The capabilities of the malware are extensive. It enables attackers to exfiltrate sensitive data, create covert network tunnels, alter local files, and execute PowerShell commands, among other functions. Additionally, the malware removes executed commands, further complicating subsequent analysis.

Researchers detected this malware on a computer belonging to a ministry of foreign affairs in South America. However, upon examining its infrastructure, connections to victims in Southeast Asia have been found, indicating that the campaign affects both Windows and Linux devices.

The attack has not been linked to known threat actors, leaving open the possibility that it could be a state-sponsored operation, especially considering that the target appears to be espionage.