Hackers Target Windows and Linux with FINALDRAFT Malware

Article Highlights
Off On

A sophisticated hacking campaign has been unveiled recently by Elastic Security Labs, dubbed “REF7707,” which has been targeting both Windows and Linux systems using novel malware families, including FINALDRAFT, GUIDLOADER, and PATHLOADER. This campaign has been notable for its advanced tactics and poor operational security, leading to the exposure of additional adversary-owned infrastructure. The REF7707 campaign was first identified in late November 2024, when Elastic Security Labs observed a cluster of endpoint behavioral alerts at the Foreign Ministry of a South American country. The investigation uncovered a sprawling campaign with novel malware, sophisticated targeting, and a mature operating cadence. While the security experts at Elastic Security Labs noted that despite showing high technical competence in some areas, the attackers made tactical oversights that exposed pre-production malware samples and infrastructure.

Execution Flow

The primary execution chain began with the use of Microsoft’s certutil application to download files from a remote server. FINALDRAFT is a key component of the REF7707 intrusion set. FINALDRAFT has both Windows and Linux variants and uses an uncommon LOLBin (Living Off The Land Binary) tactic by abusing the Windows-signed debugger CDB.exe, renamed as fontdrvhost.exe. This binary executes malicious shellcode delivered via a weaponized config.ini file. Behavioral analysis revealed that FINALDRAFT injects shellcode into processes like mspaint.exe or conhost.exe if no target parameter is provided. Persistence was achieved using a Scheduled Task that invoked fontdrvhost.exe every minute as SYSTEM with the following command: schtasks /create /RL HIGHEST /F /tn “MicrosoftWindowsAppIDEPolicyManager” /tr “C:ProgramDatafontdrvhost.exe -cf C:ProgramDataconfig.ini -o C:ProgramData” /sc MINUTE /mo 1 /RU SYSTEM. FINALDRAFT establishes command and control using Microsoft’s Graph API, blending in with legitimate organizational traffic and evading network-based detection. The campaign heavily utilizes cloud and third-party services for command and control, with domains like support.vmphere[.]com and update.hobiter[.]com identified in the malware samples.

Security Implications and Countermeasures

The use of FINALDRAFT across both Windows and Linux platforms illustrates the need for robust cross-platform security measures. This tactic of exploiting legitimate software to cloak malicious activities shows that traditional network security measures are not sufficient on their own. Organizations must adopt advanced endpoint detection and response (EDR) solutions that can detect and mitigate such sophisticated threats. Furthermore, regular updates to threat intelligence databases and continuous monitoring of network traffic are crucial to identify and block malicious communications promptly.

In addition, companies need to implement strict access controls and ensure that only essential personnel have elevated privileges within their networks. Even sophisticated attacks like REF7707 can be thwarted if attackers are deprived of the ability to move laterally within a network. Regular security training for employees can also help in identifying phishing attempts and other common attack vectors. As attackers continue to develop new techniques, the collaboration between cybersecurity firms and organizations becomes even more vital. By sharing threat intelligence and best practices, the collective defense against such advanced threats can be strengthened.

Conclusion

FINALDRAFT’s deployment on both Windows and Linux highlights the necessity of strong cross-platform security. The practice of using legitimate software to mask harmful activities proves that traditional network security measures are insufficient alone. Organizations need to adopt advanced endpoint detection and response (EDR) solutions capable of detecting and countering such advanced threats. Additionally, it’s vital to keep threat intelligence databases updated and consistently monitor network traffic to quickly identify and block malicious communications.

Firms must also enforce strict access controls, ensuring that only crucial personnel have elevated network privileges. Even advanced attacks like REF7707 can be prevented if attackers can’t move freely within the network. Continuous security training for employees can aid in recognizing phishing attempts and other frequent attack methods. As cybercriminals evolve, collaboration between cybersecurity firms and organizations becomes even more critical. By sharing threat intelligence and best practices, we can collectively strengthen our defense against these sophisticated threats.

Explore more

Can Stablecoins Balance Privacy and Crime Prevention?

The emergence of stablecoins in the cryptocurrency landscape has introduced a crucial dilemma between safeguarding user privacy and mitigating financial crime. Recent incidents involving Tether’s ability to freeze funds linked to illicit activities underscore the tension between these objectives. Amid these complexities, stablecoins continue to attract attention as both reliable transactional instruments and potential tools for crime prevention, prompting a

AI-Driven Payment Routing – Review

In a world where every business transaction relies heavily on speed and accuracy, AI-driven payment routing emerges as a groundbreaking solution. Designed to amplify global payment authorization rates, this technology optimizes transaction conversions and minimizes costs, catalyzing new dynamics in digital finance. By harnessing the prowess of artificial intelligence, the model leverages advanced analytics to choose the best acquirer paths,

How Are AI Agents Revolutionizing SME Finance Solutions?

Can AI agents reshape the financial landscape for small and medium-sized enterprises (SMEs) in such a short time that it seems almost overnight? Recent advancements suggest this is not just a possibility but a burgeoning reality. According to the latest reports, AI adoption in financial services has increased by 60% in recent years, highlighting a rapid transformation. Imagine an SME

Trend Analysis: Artificial Emotional Intelligence in CX

In the rapidly evolving landscape of customer engagement, one of the most groundbreaking innovations is artificial emotional intelligence (AEI), a subset of artificial intelligence (AI) designed to perceive and engage with human emotions. As businesses strive to deliver highly personalized and emotionally resonant experiences, the adoption of AEI transforms the customer service landscape, offering new opportunities for connection and differentiation.

Will Telemetry Data Boost Windows 11 Performance?

The Telemetry Question: Could It Be the Answer to PC Performance Woes? If your Windows 11 has left you questioning its performance, you’re not alone. Many users are somewhat disappointed by computers not performing as expected, leading to frustrations that linger even after upgrading from Windows 10. One proposed solution is Microsoft’s initiative to leverage telemetry data, an approach that