FINALDRAFT

FINALDRAFT is a modular remote administration backdoor/implant associated with the REF7707 threat cluster, also tracked as Jewelbug, Ink Dragon, CL-STA-0049, and Earth Alux. It has been described as a full-featured espionage-oriented tool used against government and telecommunications targets in South America, Southeast Asia, Europe, Asia, and Africa, and is capable of infecting both Windows and Linux systems.

The malware was reported as a 64-bit C++ implant focused on data exfiltration and process injection, with support for add-on or injected modules that extend functionality. Reported capabilities include file manipulation, host discovery, internal traffic proxying, covert network tunneling, PowerShell execution, process injection, and command execution. FINALDRAFT implements a large command set and can inject into existing or newly created hidden processes, with observed defaults including mspaint.exe and conhost.exe. Associated modules identified in reporting include components for network enumeration, in-memory PowerShell execution with AMSI/ETW bypass, and a Pass-the-Hash toolkit inspired by Mimikatz.

A defining feature of contemporary FINALDRAFT variants is command-and-control via Microsoft cloud services. Multiple reports state that FINALDRAFT abuses Microsoft Graph API and Outlook draft messages for C2, allowing traffic to blend with legitimate Office 365 or Microsoft cloud activity. Reported behavior includes obtaining OAuth tokens from Microsoft using refresh tokens stored in configuration, storing refreshed tokens in the Windows Registry, creating session draft emails, polling for command drafts, deleting commands after execution, and posting responses back as drafts. Newer variants were also reported to hide command traffic inside mailbox drafts, intercept OAuth tokens, check in during business hours to reduce suspicion, and transfer large files more efficiently with minimal noise. A Linux ELF variant was also identified with broader transport options including HTTP/HTTPS, reverse UDP, ICMP, bind/reverse TCP, DNS, and Outlook via REST/Graph API.

FINALDRAFT has been observed delivered by loader malware including PATHLOADER, which downloads AES-encrypted, Base64-encoded shellcode from attacker infrastructure and executes it in memory, and in some intrusions via a renamed Microsoft-signed CDB.exe used to load shellcode from a weaponized INI file and inject into mspaint.exe. Persistence observed alongside FINALDRAFT included a scheduled task named \Microsoft\Windows\AppID\EPolicyManager running every minute as SYSTEM. Related infrastructure and observables mentioned in reporting include graph.microsoft[.]com, login.microsoftonline[.]com, support.vmphere[.]com, update.hobiter[.]com, poster.checkponit[.]com, support.fortineat[.]com, ictnsc[.]com, hobiter[.]com, vmphere[.]com, fortineat[.]com, and checkponit[.]com. Reported sample hashes associated with FINALDRAFT activity include 6d79dfb00da88bb20770ffad636c884bad515def4f8e97e9a9d61473297617e3 for an in-memory FINALDRAFT shellcode sample.

FINALDRAFT is also referred to as Squidoor in the provided content, and multiple sources describe code and behavioral overlap between FINALDRAFT and NANOREMOTE, suggesting a shared development lineage or common author.