A newly discovered family of malware utilizes Microsoft Outlook and the Microsoft Graph API as part of a sophisticated espionage campaign. The malware consists of two main components: PATHLOADER, a custom loader, and FINALDRAFT, a backdoor designed for data exfiltration and process injection. PATHLOADER operates by downloading and executing encrypted shellcode from external servers while employing techniques like API hashing to evade static analysis. It also avoids execution in sandbox environments by using methods to detect and bypass them. The malware has been built to operate over an extended period, making it a highly persistent threat.
FINALDRAFT operates by creating email drafts in Microsoft Outlook to communicate with its command-and-control (C2) server, using the Microsoft Graph API. The emails are encoded in Base64 but not AES-encrypted, which makes the malware harder to detect using traditional email security tools. The malware’s communication loop involves creating draft emails to send commands, while responses are written back into new drafts. This unique method of communication allows it to evade conventional detection systems that typically monitor outgoing or incoming emails.
FINALDRAFT’s capabilities are extensive, with 37 command handlers that allow it to perform a range of malicious activities, including process injection, file manipulation, and launching network proxy services. It also collects a significant amount of system information, such as machine details, internal and external IP addresses, operating system versions, and active processes. These details are then sent to the C2 server, which can further exploit the victim’s system.
The malware’s ability to manipulate processes and maintain a persistent connection to its C2 server makes it a dangerous tool for espionage.
To protect against this sophisticated malware, organizations should closely monitor the use of the Microsoft Graph API and Outlook for any signs of unusual activity. Implementing stringent access controls and regularly auditing security systems is vital in defending against such advanced threats. Deploying endpoint security solutions that can detect malware execution and monitor email communication for suspicious behavior will also significantly improve an organization’s ability to prevent or mitigate such attacks. Proactive security measures, combined with advanced detection systems, are essential for safeguarding against these evolving cyber threats.
