A newly discovered post-exploitation malware kit targeting both Windows and Linux systems has been abusing Microsoft Outlook as a communication channel, Elastic Security Labs reports.
The kit includes a loader and a backdoor, along with various modules that support additional post-exploitation operations, and is likely used as part of an espionage campaign.
Elastic tracks the campaign as REF7707 and it has seen the new malware being used in attacks on a South American nation’s Foreign Ministry. Its researchers also found links to compromises in Southeast Asia.
Dubbed PathLoader, the loader is a lightweight Windows executable designed to fetch and execute encrypted shellcode from a remote server, which also includes sandbox evasion capabilities.
The shellcode loads and executes a backdoor called FinalDraft, which is written in C++ and can execute a broad range of commands, exfiltrate data, and inject code into processes.
For communication purposes, FinalDraft uses the Outlook service via the Microsoft Graph API. It targets a specific Outlook endpoint to obtain a Microsoft Graph API token which it then stores in specific registry paths (based on whether the user has administrative privileges) and reuses, if valid.
