A new and sophisticated malware family has recently been uncovered, leveraging Microsoft Outlook as its communication channel through the Microsoft Graph API. This discovery highlights a growing trend in which threat actors employ legitimate platforms to hide their malicious activities, making detection and analysis increasingly challenging. In this post, we explore the intricacies of this malware family, examine its two main components—PATHLOADER and FINALDRAFT—and discuss the broader implications for cybersecurity.
Overview of the Malware Components
The malware comprises two distinct components, each fulfilling a critical role in its espionage-oriented campaign. PATHLOADER acts as a custom loader responsible for downloading and executing encrypted shellcode from external infrastructure, while FINAL DRAFT serves as the backdoor, facilitating data exfiltration and process injection. These components create a multi-layered threat that employs advanced obfuscation and evasion techniques to remain undetected.
PATHLOADER: The Custom Loader
PATHLOADER is a lightweight Windows executable designed to download and execute encrypted shellcode. Despite its small size, it packs a sophisticated array of features designed to bypass modern security defenses.
Technical Functionality
One of the notable features of PATHLOADER is its use of API hashing via the Fowler-Noll-Vo (FNV) hash function. This technique is used to evade static analysis by obscuring API function calls. The malware embeds its configuration, including command-and-control (C2) settings, within the .data section of the binary. Additionally, PATHLOADER employs string encryption to obfuscate its functionality further, making it more challenging for security researchers to trace its control flow.
Here is an example snippet illustrating the API hashing process:
uint64_t api_hash = 0;
do {
api_hash = *data_source++ + 31 * api_hash;
} while (data_source != &data_source[data_source_length]);This code demonstrates how PATHLOADER iterates through a data source, continuously updating a hash value. By doing so, it hides direct references to critical API functions, thereby complicating static analysis.
Evasion Techniques
PATHLOADER also incorporates measures to avoid execution in sandboxed environments. By leveraging functions like GetTickCount64 and introducing deliberate delays using the Sleep method, the malware ensures that its payload is not immediately executed in a controlled or emulated environment. This delay can thwart many automated sandbox analysis tools, as the malicious behavior might only trigger after an extended period.
Once the initial evasion phase is complete, PATHLOADER downloads shellcode via HTTPS GET requests from a list of preconfigured C2 domains. Once loaded into memory, this encrypted shellcode enables the malware to conduct further malicious activities on the infected system.
FINALDRAFT: The Backdoor Component
The second component, FINALDRAFT, is a 64-bit malware module written in C++ that focuses on data exfiltration and process injection. Unlike traditional backdoors, FINALDRAFT leverages the Microsoft Graph API—a legitimate communication channel—to interact with its C2 server. This clever use of a trusted API enables the malware to blend malicious communications with regular network traffic, significantly complicating detection efforts.
How FINALDRAFT Communicates
FINALDRAFT’s communication mechanism is innovative—it uses Microsoft Outlook’s email drafts as the medium for exchanging commands and responses. The malware generates session email drafts that are not immediately sent but stored in Outlook to maintain a covert communication channel with the C2 server.
FINALDRAFT obtains a Microsoft Graph API token to authenticate its communication using a refresh token embedded in its configuration. If the token remains valid across multiple requests, it is reused, ensuring continuous communication without drawing unwanted attention.
Below is an excerpt of the configuration structure used by FINALDRAFT:
struct Configuration {
char c2_hosts_or_refresh_token[5000];
char pastebin_url[200];
char guid[36];
uint8_t unknown_0[4];
uint16_t build_id;
uint32_t sleep_value;
uint8_t communication_method;
uint8_t aes_encryption_key[16];
bool get_external_ip_address;
uint8_t unknown_1[10];
};This structure illustrates how the malware stores various parameters, including the refresh token, C2 host information, and other critical settings. The embedded AES encryption key, although present, is used in a limited capacity as the content within the email drafts remains Base64 encoded rather than fully encrypted. This detail is essential because it exposes another potential weakness that security analysts might exploit when investigating the malware’s behavior.
Session Management and Command Handling
A sophisticated session mechanism maintains communication between the malware and the C2 server. FINALDRAFT creates a session email draft if one does not already exist, ensuring a continuous communication loop. Command responses are written into new draft emails for each processed command, and after the commands are executed, the corresponding email drafts are deleted to minimize the chance of detection.
A simplified version of the session data structure is provided below:
struct Session {
char random_bytes[30];
uint32_t total_size;
char field_22;
uint64_t session_id;
uint64_t build_number;
char field_33;
};This session structure tracks the ongoing communication between the malware and the C2 server. It includes elements such as a unique session ID and build number, which are critical for maintaining the integrity and continuity of the malware’s operations.
FINALDRAFT has been programmed to register 37 distinct command handlers, each designed to perform specific tasks such as process injection, file manipulation, and even establishing a network proxy to the C2 server. Some of the key commands include:
- GatherComputerInformation: This function collects vital data about the victim’s machine, including the username, computer name, IP addresses, and operating system details.
- StartTcpServerProxyToC2: Initiates a TCP server proxy that facilitates secure communication with the C2 server.
- DoProcessInjectionSendOutputEx: Injects code into running processes and sends the resulting output back to the attacker.
To give you an idea of the type of data the malware collects, here is an excerpt of the computer information structure:
struct ComputerInformation {
char field_0;
uint64_t session_id;
char field_9[9];
char username[50];
char computer_name[50];
char field_76[16];
char external_ip_address[20];
char internal_ip_address[20];
uint32_t sleep_value;
char field_B2;
uint32_t os_major_version;
uint32_t os_minor_version;
bool product_type;
uint32_t os_build_number;
uint16_t os_service_pack_major;
char field_C2[85];
char field_117;
char current_module_name[50];
uint32_t current_process_id;
};This structure shows the extensive range of information gathered from the victim machine and emphasizes how deeply the malware integrates with system processes to extract critical data.
Communication Protocol via Microsoft Graph API
This malware family’s innovative use of the Microsoft Graph API sets it apart from many other threats. By leveraging a trusted and widely used communication channel—Microsoft Outlook—the malware is able to operate under the radar. This method allows it to seamlessly blend in with normal enterprise email traffic, making it harder for security systems to flag suspicious behavior.
How Email Drafts Are Used for Communication
Instead of sending emails directly, FINALDRAFT uses Outlook’s draft feature to store session information and command responses. This approach is particularly cunning, as it does not immediately alert email monitoring systems that communication is taking place. The malware creates a session email draft if one is absent and then continuously updates the draft with command responses.
Commands are queued by analyzing the most recent five C2 command request emails that appear in the draft folder. Once a command is processed, the associated email is deleted to cover its tracks. This continuous loop of creating, processing, and deleting emails makes the communication channel resilient and difficult to track.
The Role of Session Data
The session data structure is crucial in managing the communication lifecycle between the malware and the C2 server. Each session is uniquely identified by a session ID and is associated with a specific build number. These identifiers help the malware maintain a coherent state even if the session spans multiple emails over an extended period.
The use of session data facilitates orderly command execution and aids in debugging and error handling from the attacker’s perspective. By monitoring the session parameters, an attacker can determine whether the malware is functioning as intended or if adjustments are necessary to maintain control over the compromised system.
Obfuscation and Evasion Techniques
Both PATHLOADER and FINALDRAFT are engineered with a clear focus on stealth and evasion. API hashing, string encryption, and delayed execution are all part of a comprehensive strategy to avoid detection by traditional security tools.
API Hashing to Confuse Analysts
API hashing is a well-known technique used to prevent static analysis tools from easily identifying the functions that the malware is calling. By hashing the API names, PATHLOADER hides direct references to these functions, making it significantly harder for analysts to reverse engineer the malware’s behavior.
String Encryption for Enhanced Obfuscation
In addition to API hashing, PATHLOADER employs string encryption. This means that key strings and identifiers within the binary are not stored in plaintext, adding another layer of complexity to the reverse engineering process. Analysts must first decrypt these strings before understanding the malware’s true functionality.
Delayed Execution and Sandbox Avoidance
To further complicate the analysis, PATHLOADER uses functions like GetTickCount64 and Sleep to avoid immediate execution in sandbox environments. This delay tactic is designed to trick automated analysis systems into believing the malware is benign, as the malicious payload may not activate until much later in the execution cycle. This behavior underscores the need for dynamic analysis tools to monitor long-term behavior in a controlled environment.
Implications for Enterprise Security
The discovery of this malware family underscores the evolving landscape of cyber threats, particularly those that leverage legitimate services like the Microsoft Graph API for malicious purposes. Enterprises must now contend with threats that can hide in plain sight, using trusted platforms to execute commands and exfiltrate data.
Blending with Legitimate Traffic
By using Microsoft Outlook for communication, this malware blends in with the vast volume of legitimate email traffic within an organization. Traditional security measures, which often focus on detecting anomalies in network behavior, may not flag these communications as suspicious. This highlights a critical vulnerability: if attackers can operate under the guise of regular system processes, they can bypass many of the conventional defenses put in place by enterprises.
The Need for Enhanced Monitoring
Organizations are strongly advised to implement rigorous monitoring of Microsoft Graph API usage. Any unusual patterns or spikes in activity could signal an attempted breach. Additionally, monitoring should not be limited to network traffic alone—system-level activity and changes within the Outlook environment should also be scrutinized.
Advanced Endpoint Security Solutions
Given the sophisticated evasion techniques employed by this malware family, deploying advanced endpoint security solutions is paramount. Modern endpoint detection and response (EDR) tools that leverage behavioral analysis can help identify and mitigate threats that traditional signature-based tools might miss. These solutions can analyze behavior patterns, such as unexpected execution delays or anomalous API calls, to flag potential malware activity.
Regular Security Audits and Proactive Measures
To counter advanced threats, organizations must adopt a proactive security approach. Regular audits of system configurations, software updates, and network logs can help identify vulnerabilities before they are exploited. Additionally, ensuring that access controls are strictly enforced—especially for critical services like Microsoft Outlook and the Graph API—is essential for minimizing the attack surface.
Recommendations for Organizations
In light of the sophisticated nature of this malware, several best practices can help organizations bolster their defenses and minimize the risk of compromise.
Monitor Microsoft Graph API Usage
Since the malware leverages the Microsoft Graph API for covert communications, it is essential to monitor API usage closely. Administrators should set up alerts for abnormal patterns, such as unexpected API calls or deviations from typical behavior. Implementing logging and auditing of API interactions can provide valuable insights into potential breaches.
Implement Stringent Access Controls
Restricting access to both Microsoft Outlook and the Graph API is critical. Only authorized personnel should have access to these platforms, and multi-factor authentication (MFA) should be enforced wherever possible. By limiting access, organizations reduce the risk of credential compromise and unauthorized use of these services.
Deploy Advanced Endpoint Security
Modern malware often employs techniques that bypass traditional antivirus solutions. Therefore, it is highly recommended that advanced endpoint security solutions incorporate behavioral analytics and machine learning. These tools can detect subtle indicators of compromise that may be overlooked by conventional methods, offering an additional layer of protection.
Conduct Regular Security Audits
Regular security audits are vital for identifying and addressing potential vulnerabilities. Organizations should schedule periodic assessments of their network, endpoints, and cloud services. These audits help discover weaknesses and ensure that security policies are up-to-date and effective against current threats.
Stay Informed About Emerging Threats
The cybersecurity landscape constantly evolves, and staying informed about emerging threats is crucial. Organizations should subscribe to threat intelligence feeds, participate in security forums, and maintain open lines of communication with cybersecurity experts. Security teams can better prepare for and respond to new attack vectors by keeping abreast of the latest developments.
Conclusion
The discovery of this new malware family, which exploits Microsoft Outlook via the Microsoft Graph API, serves as a stark reminder of the evolving tactics employed by cybercriminals. By utilizing legitimate communication channels and sophisticated evasion techniques, attackers are making it increasingly difficult for traditional security measures to detect and mitigate malicious activity.
From PATHLOADER’s stealthy loader mechanisms—including API hashing, string encryption, and sandbox evasion—to FINALDRAFT’s innovative use of Outlook drafts for covert C2 communications, every aspect of this malware is designed to blend in and avoid detection. The implications for enterprise security are significant, as even organizations with robust defenses may find themselves vulnerable if they do not account for these advanced threat techniques.
Organizations must adapt by enhancing their monitoring capabilities, enforcing strict access controls, and deploying advanced endpoint security solutions. Regular security audits and staying informed about emerging threats are critical components of a proactive defense strategy.
In a landscape where attackers increasingly exploit trusted platforms like Microsoft Outlook, it is more important than ever to be vigilant, informed, and proactive. By understanding the intricacies of threats like this new malware family, security teams can better prepare to defend against them, ensuring their systems and data remain secure in an ever-changing digital environment.
Integrating legitimate services for malicious purposes will likely become a common tactic as we move forward. Organizations must continually evolve their security practices, ensuring that technology and processes are in place to detect, analyze, and respond to these sophisticated threats. Through advanced security tools, rigorous monitoring, and proactive management, enterprises can significantly enhance their security posture and protect against the ever-growing threat landscape.
By taking these measures and fostering a culture of security awareness, organizations can stay one step ahead of threat actors who are determined to exploit even the most trusted and familiar platforms. The battle against malware is ongoing, and a multifaceted, informed approach is essential for success.
