A cyber-espionage campaign is currently targeting Windows PCs. Cybercriminals use particularly discreet malware, since it is hidden in Outlook drafts.
Be careful if you use Outlook, Microsoft’s electronic email service! Its users tend to believe they are sheltered behind sophisticated safety layers of the company. But cybercriminals do not lack imagination and redouble their creativity to trap their victims.
A particularly discreet malware, at the heart of a cyberspionaling campaign, targets at the moment outlook. Called Fatedraft and identified by researchers fromElastic Security Labsit is designed to blend perfectly into the digital environment of its victims. His operating mode? Use Outlook’s drafts to communicate with its creators, thus escaping the radars of traditional security systems.
Fornedraft: discreet and ingenious malware
The attack generally begins with the infection of the target machine via a malicious program called Pathloader. Once installed, the latter downloads Findraft from a remote server. The malware then integrates discreetly and interacts with Outlook without awakening suspicions. Rather than sending data directly to the Internet, which could be detected, SENDRAFT uses e-mail drafts as a communication channel. Once the instructions have been executed, the drafts are deleted, leaving almost no trace of the malicious activity. This ingenious technique allows malware to hide from the legitimate traffic of Microsoft 365, making its detection particularly difficult.
Of course, the main objective of malware is to steal sensitive data. It mainly targets files stored on the PC, identification information, and system information. This information includes “The name of the computer, the username of the account, the internal and external IP addresses, as well as details on the execution of the processes”indicates the report.
For this, Endraft is capable of exfiltrating files, injecting code, redirecting network traffic, and even stealing identifiers without decrypting them. In total, the researchers identified 37 different orders that malware can execute.
BENDRAFT: a global cyber-espionage campaign
The first identified targets are in ministries in South America. However, the survey revealed infrastructure linked to this campaign in Southeast Asia, suggesting a cyberspionaling operation worldwide. The attackers even pushed the cunning to register areas imitating names of recognized cybersecurity publishers, such as “Checkponit.com” or “Fortineat.com”, a typosquatting technique intended to blur the tracks.
Even more worrying, a variant of the funding targeting the Linux systems has been discovered, widening the spectrum of potential victims. This version shares a good number of functions with its Windows counterpart.
Faced with this threat, it is imperative for users of Outlook to redouble vigilance. It is recommended to actively monitor your Outlook drafts, so as to identify suspicious behavior, such as rapid creation and deletion of unvyed messages. And, of course, it is better to install a good antivirus, whose viral and signature databases are updated several times a day.