Targeted Attacks Against a Government Ministry
A newly discovered malware named FinalDraft has been observed using Outlook email drafts as a command-and-control (C2) channel in attacks against a South American government ministry.
Researchers at Elastic Security Labs uncovered the malware, which operates as part of a sophisticated toolset that includes:
- PathLoader: A custom malware loader
- FinalDraft: A backdoor for data exfiltration and process injection
- Post-exploitation tools: Used for credential theft and lateral movement
How the Attack Works
The attack begins when the threat actor compromises a system using PathLoader, which executes shellcode retrieved from an attacker-controlled server. This shellcode loads FinalDraft into memory.
Covert Communication via Outlook
Once executed, FinalDraft establishes communication with the attacker’s infrastructure using Microsoft Graph API by reading and writing to Outlook email drafts instead of sending messages. This technique enables:
- Stealthy command execution: The malware receives commands hidden inside drafts (e.g.,
r_<session-id>) - Covert data exfiltration: Responses are stored in separate drafts (e.g.,
p_<session-id>) - Forensic evasion: Once executed, commands are deleted, making detection difficult
Additionally, FinalDraft retrieves an OAuth refresh token from its configuration and stores it in the Windows Registry, ensuring persistent access.
Token stored in the Windows Registry
Source: Elastic Security