216.73.217.22

You've Got Malware: FINALDRAFT Hides in Your Drafts

· Published 14/02/2025 15:42 · Modified 14/02/2025 15:46

Export JSON

Essential information

Published
14/02/2025 15:42
Modified
14/02/2025 15:46
Tags
2025-02-14 elf elf variant finaldraft linux lsass microsoft graph mimikatz ntlm hash outlook pathloader pe powershell ref7707 shell updatetask
Related entities
9 observables, 12 techniques (mitre), 1 malware

Description

While investigating , Elastic Security Labs discovered a new family of previously unknown malware that leverages as a communication channel via the API. This post-exploitation kit includes a loader, a backdoor, and multiple submodules that enable advanced post-exploitation activities.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (9)

  • https://poster.checkponit.com:443/nzoMeFYgvjyXK3P;https://support.fortineat.com:443/nzoMeFYgvjyXK3P;*|*
  • http://poster.checkponit.com/nzoMeFYgvjyXK3P
  • update.hobiter.com
  • support.vmphere.com
  • support.fortineat.com
  • poster.checkponit.com
  • 9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf
  • 83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c
  • 39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530

Techniques (MITRE) (12)

  • T1080
    T1080
  • T1550
    Use Alternate Authentication Material
  • T1497
    Virtualization/Sandbox Evasion
  • T1095
    Non-Application Layer Protocol
  • T1127
    Trusted Developer Utilities Proxy Execution
  • T1070
    Indicator Removal
  • T1106
    Native API
  • T1055
    Process Injection
  • T1134
    Access Token Manipulation
  • T1049
    System Network Connections Discovery
  • T1562
    Impair Defenses
  • T1059
    Command and Scripting Interpreter

Malware (1)

  • FinalDraft
    Family
    Published 05/05/2026 14:07 · Modified 05/05/2026 14:07

External references