When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
Speeding up
The attack starts with the victim somehow being exposed to the loader.
The loader installs FinalDraft, which establishes a communications channel throughMicrosoftGraph API.
It does so by usingOutlook emaildrafts.
It proceeds to receive an OAuth token from Microsoft, using a refresh token embedded in its configuration.
It stores it in the Windows Registry, allowing cybercriminals persistent access to the compromised endpoint.
After performing these commands, the malware deletes them, making analysis even harder.
The researchers found the malware on a computer belonging to a foreign ministry in South America.
However, after analyzing its infrastructure, Elastic has seen links to victims in Southeast Asia, as well.
The campaign targets both Windows and LInux devices.
However, given that the goal seems to be espionage, its safe to assume nation-state attacks.
In-depth analysis, including detection mechanisms, mitigations, and YARA rules, can be found onthis link.
