New Malware Exploiting Outlook As a Communication Channel via The Microsoft Graph API

A new family of malware has been discovered that leverages Microsoft Outlook as a communication channel via the Microsoft Graph API. This sophisticated malware includes a custom loader and backdoor, known as PATHLOADER and FINALDRAFT, respectively. The malware is part of an espionage-oriented campaign, as suggested by its complexity and the extended time frame of […] The post New Malware Exploiting Outlook As a Communication Channel via The Microsoft Graph API appeared first on Cyber Security News.

Feb 13, 2025 - 11:40

New Malware Exploiting Outlook As a Communication Channel via The Microsoft Graph API

A new family of malware has been discovered that leverages Microsoft Outlook as a communication channel via the Microsoft Graph API.

This sophisticated malware includes a custom loader and backdoor, known as PATHLOADER and FINALDRAFT, respectively.

The malware is part of an espionage-oriented campaign, as suggested by its complexity and the extended time frame of its operation.

PATHLOADER: It is a lightweight Windows executable that downloads and executes encrypted shellcode from external infrastructure.

It employs API hashing using the Fowler-Noll-Vo hash function to evade static analysis. The configuration is embedded in the .data section and includes C2 settings.

While the Elastic Labs researchers detected that the PATHLOADER uses string encryption to obfuscate its functionality, making it challenging for analysts to follow its control flow.

// API Hashing Example
uint64_t api_hash = 0;
do {
    api_hash = *data_source++ + 31 * api_hash;
} while (data_source != &data_source[data_source_length]);

PATHLOADER avoids immediate execution in sandbox environments by using GetTickCount64 and Sleep methods. It then attempts to download shellcode through HTTPS GET requests from preconfigured C2 domains.

PATHLOADER & FINALDRAFT execution (Source – Elastic)

FINALDRAFT: It is a 64-bit malware written in C++ that focuses on data exfiltration and process injection.

It uses the Microsoft Graph API to communicate with its command and control (C2) server. The malware obtains a Microsoft Graph API token using a refresh token stored in its configuration.

This token is reused across requests if it remains valid.

// Configuration Structure
struct Configuration {
    char c2_hosts_or_refresh_token[5000];
    char pastebin_url[200];
    char guid[36];
    uint8_t unknown_0[4];
    uint16_t build_id;
    uint32_t sleep_value;
    uint8_t communication_method;
    uint8_t aes_encryption_key[16];
    bool get_external_ip_address;
    uint8_t unknown_1[10]
};

FINALDRAFT creates session email drafts in Outlook to communicate with the C2 server. The content of these emails is Base64 encoded but not AES encrypted. Commands are processed, and responses are written into new draft emails.

Communication Protocol

The communication loop involves creating a session email draft if it doesn’t exist. Command response emails are written as drafts for each processed command. The session data structure includes a session ID and build number.

// Session Data Structure
struct Session {
    char random_bytes[30];
    uint32_t total_size;
    char field_22;
    uint64_t session_id;
    uint64_t build_number;
    char field_33;
};

Communication protocol (Source – Elastic)

Commands are filled by checking the last five C2 command request emails in the mail drafts. After reading the requests, emails are deleted.

FINALDRAFT registers 37 command handlers, focusing on process injection, file manipulation, and network proxy capabilities. Some key commands include:-

GatherComputerInformation: Collects and sends information about the victim machine.
StartTcpServerProxyToC2: Starts a TCP server proxy to the C2 server.
DoProcessInjectionSendOutputEx: Injects into running processes and sends output.

// Collected Information Structure
struct ComputerInformation {
    char field_0;
    uint64_t session_id;
    char field_9[9];
    char username[50];
    char computer_name[50];
    char field_76[16];
    char external_ip_address[20];
    char internal_ip_address[20];
    uint32_t sleep_value;
    char field_B2;
    uint32_t os_major_version;
    uint32_t os_minor_version;
    bool product_type;
    uint32_t os_build_number;
    uint16_t os_service_pack_major;
    char field_C2[85];
    char field_117;
    char current_module_name[50];
    uint32_t current_process_id;
};

The use of the Microsoft Graph API for C2 communications shows the critical need for enhanced security measures to protect against such sophisticated threats.

To protect against sophisticated malware threats like FINALDRAFT, organizations should regularly monitor Microsoft Graph API usage for any suspicious activity and implement stringent access controls, restricting access to Outlook and the API to only necessary personnel.

Deploying advanced endpoint security solutions can help detect and prevent malware execution, while conducting regular security audits ensures potential vulnerabilities are identified and addressed.

These proactive measures significantly enhance an organization’s security posture.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post New Malware Exploiting Outlook As a Communication Channel via The Microsoft Graph API appeared first on Cyber Security News.