Listen to this Post
2025-02-13
In a new discovery, threat hunters have uncovered a sophisticated espionage campaign involving the use of bespoke malware to compromise the Foreign Ministry of an unnamed South American nation. The operation, first detected in November 2024, was linked to a group of attackers known as REF7707. This campaign, which also affected a telecommunications company and a university in Southeast Asia, reveals significant details about how well-funded and highly capable threat actors are able to infiltrate sensitive governmental and private-sector systems.
the Campaign
The campaign, attributed to the REF7707 threat group, was first identified by Elastic Security Labs in late 2024. This attack targeted the Foreign Ministry of a South American country using malware designed to provide remote access to infected systems. The exact method of initial intrusion remains unclear, but investigators found that Microsoft’s certutil application was being used to download additional payloads from a web server. The attackers were likely already inside the network, utilizing valid credentials for lateral movement between compromised systems.
One of the first malicious files deployed was a piece of malware named PATHLOADER, which facilitated the execution of encrypted shellcode from an external server. This shellcode, labeled FINALDRAFT, is a remote administration tool capable of executing further malicious commands on the infected system. FINALDRAFT utilizes a novel command-and-control (C2) method via Microsoft’s Outlook service, using the Graph API to issue commands and exfiltrate data.
Security researchers highlighted that while the malware demonstrated impressive engineering and evasion tactics, the campaign’s execution showed poor management and inconsistent obfuscation methods. The attack also extended to Linux systems, indicating that the group was working on cross-platform exploitation strategies. This has raised concerns about the extended scope of the campaign, which experts believe is likely espionage-oriented due to its stealthy and targeted nature.
What Undercode Say: Analysis of REF7707’s Tactics and Techniques
The REF7707 threat group’s attack on the Foreign Ministry exemplifies a growing trend in cyber espionage where attackers focus on high-value targets—governments, universities, and telecommunication firms—which hold sensitive geopolitical information. The malware used, FINALDRAFT, is a full-featured remote administration tool (RAT) that indicates the attackers were well-prepared and highly organized. The C++-based RAT is not only capable of executing additional modules on infected systems but also boasts unique command-and-control (C2) functionalities leveraging the Microsoft Graph API.
One of the most striking elements of this campaign is the creative use of Microsoft’s Outlook email service for C2 communication. By using the Graph API to communicate through draft emails, the attackers were able to bypass conventional detection methods that typically focus on standard C2 channels. This technique underlines the attackers’ advanced understanding of system architecture and their ability to exploit legitimate software to mask malicious behavior.
Moreover, the ability of FINALDRAFT to execute PowerShell commands while evading event logging (ETW) through API patching shows the attackers’ sophistication. This tactic is often used to maintain a low profile and avoid detection by security systems, demonstrating that the group behind the attack understands the value of persistence and stealth.
The use of PATHLOADER to execute encrypted shellcode via a seemingly innocuous process, such as mspaint.exe, is another indicator of the group’s technical prowess. This technique enables the attackers to move laterally across the network with little to no suspicion, especially when combined with the exploitation of Windows Remote Management (WinRM) and the Remote Shell plugin (WinrsHost.exe). The execution of these commands through compromised network credentials further highlights the group’s advanced access to the internal network, suggesting a multi-phased attack where an initial compromise has been followed by careful movement within the environment.
A key observation in the analysis is the cross-platform nature of the malware. The discovery of a Linux variant of FINALDRAFT reveals that the attackers were not limited to Windows environments, but rather extended their operations across different platforms, possibly to broaden the scope of their espionage campaign. This is particularly concerning for organizations relying on diverse IT ecosystems, as it suggests that attackers are developing more versatile, cross-platform tools to increase their chances of success.
Despite the impressive technical capabilities demonstrated by REF7707, the researchers noted inconsistencies in their operational security. The campaign’s poor management and lack of continuous evasion strategies indicate that while the attackers were capable, their operation could have been more carefully executed. This raises an interesting point about the balance between technical expertise and operational discipline. In cyber espionage, it’s often the smallest operational missteps—such as inconsistent obfuscation or poor lateral movement practices—that can lead to detection and thwart an otherwise successful campaign.
The extended timeline of the operation, coupled with evidence of meticulous data exfiltration, points toward the likelihood of espionage motives rather than financial gain. The persistence of these attackers, along with their use of customized malware and careful targeting of critical infrastructures, suggests that the REF7707 group is likely state-sponsored or has substantial backing to sustain such long-term and resource-intensive campaigns.
In conclusion, the REF7707 campaign serves as a stark reminder of the increasingly sophisticated tactics used by cybercriminals, state-sponsored hackers, and espionage groups. The advanced techniques employed—ranging from customized malware to exploiting legitimate services for C2—underscore the growing need for robust cybersecurity measures. As cyber threats continue to evolve, organizations must prioritize proactive threat hunting and defense mechanisms to stay one step ahead of these highly capable attackers.
References:
Reported By: https://thehackernews.com/2025/02/finaldraft-malware-exploits-microsoft.html
https://www.digitaltrends.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help




