{
  "name": "You've Got Malware: FINALDRAFT Hides in Your Drafts",
  "slug": "youve-got-malware-finaldraft-hides-in-your-drafts",
  "description": "While investigating REF7707, Elastic Security Labs discovered a new family of previously unknown malware that leverages Outlook as a communication channel via the Microsoft Graph API. This post-exploitation kit includes a loader, a backdoor, and multiple submodules that enable advanced post-exploitation activities.",
  "published": "2025-02-14T14:42:42+00:00",
  "created_at": "2025-02-14T14:42:42+00:00",
  "modified_at": "2025-02-14T14:46:41+00:00",
  "created_at_opencti": "2025-02-14T14:42:42+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-02-14",
    "elf",
    "elf variant",
    "finaldraft",
    "linux",
    "lsass",
    "microsoft graph",
    "mimikatz",
    "ntlm hash",
    "outlook",
    "pathloader",
    "pe",
    "powershell",
    "ref7707",
    "shell",
    "updatetask"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "https://poster.checkponit.com:443/nzoMeFYgvjyXK3P;https://support.fortineat.com:443/nzoMeFYgvjyXK3P;*|*"
      },
      {
        "id": "",
        "name": "http://poster.checkponit.com/nzoMeFYgvjyXK3P"
      },
      {
        "id": "",
        "name": "update.hobiter.com"
      },
      {
        "id": "",
        "name": "support.vmphere.com"
      },
      {
        "id": "",
        "name": "support.fortineat.com"
      },
      {
        "id": "",
        "name": "poster.checkponit.com"
      },
      {
        "id": "",
        "name": "9a11d6fcf76583f7f70ff55297fb550fed774b61f35ee2edd95cf6f959853bcf"
      },
      {
        "id": "",
        "name": "83406905710e52f6af35b4b3c27549a12c28a628c492429d3a411fdb2d28cc8c"
      },
      {
        "id": "",
        "name": "39e85de1b1121dc38a33eca97c41dbd9210124162c6d669d28480c833e059530"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:2857f821314747e9",
        "name": "FINALDRAFT",
        "slug": "finaldraft"
      }
    ],
    "attack_patterns": [
      {
        "id": "7ee85a68-f3ed-49bd-a5de-27b219e43609",
        "name": "T1080"
      },
      {
        "id": "c9de6d3f-08cf-448d-8b9f-9aeff59fc48f",
        "name": "T1550"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "88fa397b-4cc9-42c0-b52d-4108f9630529",
        "name": "T1095"
      },
      {
        "id": "7d03ac30-b4e0-4ef9-bb23-80667e2c8123",
        "name": "T1127"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "60972cf6-e90b-4600-af3c-13c468391d9c",
        "name": "T1106"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266",
        "name": "T1134"
      },
      {
        "id": "ccb28547-a340-4193-a5d9-69222f3d5051",
        "name": "T1049"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://www.elastic.co/security-labs/finaldraft",
    "https://otx.alienvault.com/pulse/67af647321feb1b029f898de"
  ]
}