Threat Hunter is a bespoke malware that allows remote access to infected hosts, which sheds light on a new campaign targeting the unnamed South American national foreign ministry.
The activity detected in November 2024 is attributed to a threat cluster tracked by the elastic security lab as Ref7707. Other goals include telecommunications entities and universities in Southeast Asia.
“The Ref7707 campaign is characterized by a highly capable, innovative intrusion set designed, but campaign owners showed campaign management and inconsistent avoidance practices,” said the security researcher. Andrew Pease and Seth Goodwin said in their technical analysis.
The exact initial access vector used in the attack is currently unclear, but it has been observed that Microsoft’s Certutil application is being used to download additional payloads from web servers associated with the Ministry of Foreign Affairs Masu.
I found that the Certutil command used to retrieve suspicious files is run through a Windows Remote Management remote shell plugin (winrshost.exe) from an unknown source system on the connected network.
“The attacker already has valid network credentials and shows that he used them for lateral movements from previously compromised hosts in his environment,” the researchers said. .
The first file to be executed is malware called Passloader, which allows the execution of encrypted shellcode received from an external server. The extracted finaldraft, known as the shellcode, is then injected into the memory of the newly spawned “mspaint.exe” process.
FinalDraft, written in C++, is a fully functional remote management tool with the ability to run additional modules on the fly, and Outlook via the Microsoft Graph API for command and control (C2) purposes Abuse your email service. It is worth noting that exploiting the graph API was previously detected in another backdoor called Siestagraph.
The communication mechanism involves parsing commands stored in the draft folder of the mailbox and writing the results of the execution to a new draft email for each command. FinalDraft Registers 37 Command handlers designed mainly for process injection, file manipulation and network proxy functions.
It is also designed to start a new process with a stolen NTLM hash and run PowerShell commands to avoid calling the “Powershell.exe” binary. Instead, patch some APIs to avoid event tracing in Windows (ETW) and launch PowerPick, a legitimate utility that is part of the Empire post-explosion toolkit.
The ELF binary fact uploaded to Virustotal in Brazil and the US indicates the existence of a Linux variant of FinalDraft that features similar C2 features. The Linux version can be removed from the system by running shell commands via Popen in that part.
“The integrity of the tool and the level of engineering involved suggest that developers are well organized,” the researchers said. “The extended time frame of operations and evidence from our telemetry suggests that it is probably a spy-oriented campaign.”
Source link
