- Security researchers spot new malicious software called Fornedraft
- He obtains orders from an e-mail written
- It can exfiltrate data, run PowerShell, and more
Cybersecurity researchers from elastic safety laboratories have discovered a new malicious software that abuses electronic messages in Outlook for data exfiltration, PowerShell execution, etc.
Malware is part of a wider toolbox used in a campaign entitled REF7707 targeting government organizations in South America and Southeast Asia.
According to the researchers, the toolbox includes a few tools: a charger called pathload, the malware called the fundraft and several post-exploits utilities.
Accelerate
The attack begins with the victim exposed in a way to the charger. Although researchers do not detail how it goes, it is sure to assume the usual channels: phishing, social engineering, false cracks with commercial and similar software.
The charger installs Findraft, which establishes a communication channel via API Microsoft Graph. It does it using Outlook emails of emails. It proceeds to a Microsoft oauthoft token, using a refreshment token integrated into its configuration. It stores it in the Windows register, allowing persistent access to cybercriminals to the compromised end point.
The malware allows attackers to carry out a whole band of commands, including the exfiltration of sensitive data, the creation of secret network tunnels, the falsification of local files, the execution of PowerShell, etc. After carrying out these orders, the malware deletes them, which makes the analysis even more difficult.
The researchers found malware on a computer belonging to a Ministry of Foreign Affairs in South America. However, after having analyzed its infrastructure, Elastic also saw links with the victims in Southeast Asia. The campaign targets Windows and Linux devices.
The attack was not linked to any known threat actor, so we do not know if it was a part sponsored by the state or not. However, given that the objective seems to be spying, it is sure to assume the attacks on the nation state. An in -depth analysis, including detection mechanisms, attenuations and Yara rules, is on this link.
