During a recent investigation (REF7707), Elastic Security Labs discovered new malware targeting a foreign ministry. The malware includes a custom loader and backdoor with many features including using Microsoft’s Graph API for C2 communications.

PATHLOADER

Configuration

API Hashing

String Obfuscation

Execution/Behavior

FINALDRAFT

Entrypoint

Initialization

Configuration loading process

Session ID derivation process

Communication protocol

Commands

Gather computer information

Process injection

Forwarding data from TCP, UDP, and named pipes

File manipulation

Injected Modules

Network enumeration (`ipconfig.x64.dll`)

PowerShell execution (`Psloader.x64.dll`)

Pass-the-Hash toolkit (`pnt.x64.dll`)

FINALDRAFT ELF variant

Additional transport channels

Command Execution

Self Deletion

Older FINALDRAFT PE sample

HTTP transport channel

Shell command 

Tactics

Techniques

Detection

YARA

You've Got Malware: FINALDRAFT Hides in Your Drafts

Elastic Security Labs share details about the SADBRIDGE loader and GOSAR backdoor, malware used in campaigns targeting Chinese-speaking victims.

Introduction

Key takeaways

REF3864 Campaign Overview

SADBRIDGE Introduction

SADBRIDGE Code Analysis

MSI Analysis

x64bridge.dll Side-loading

HealthServiceRuntime.dll

DevQueryBroker.log

Stage 1 Injection (explorer.exe)

Stage 2 Injection (spoolsv.exe/lsass.exe)

DevQueryBrokerService.log

DevQueryBrokerPre.log

GOSAR Injection

GOSAR Introduction

GOSAR Code Analysis Overview

Code structure of GOSAR

New Additions to GOSAR

Communication and information gathering

Services

KeyLogger

ClipboardLogger

TickWriteFile

Networking setup

ConfigFirewallRule

ConfigHosts

ConfigAutoListener

Logs

Plugins

HVNC

Screenshot

Observation

New functionality

Malware and MITRE ATT\&CK

Mitigating REF3864

Prevention

Observations

References

Appendix

AV products checked in GOSAR 

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Elastic Security Labs breaks down bypass implementations from the infostealer ecosystem’s reaction to Chrome 127's Application-Bound Encryption scheme.

Google Chrome Cookie Security

STEALC/VIDAR

METASTEALER

PHEMEDRONE

XENOSTEALER

LUMMA

Cookies access by an unusual process

Chrome Browser Spawned from an Unusual Parent

Untrusted Binaries from Chrome Application folder

Unsigned DLLs loaded from google chrome application folder

Unsigned executable launched from google chrome application folder

Stealer Bypasses and MITRE ATT&CK

Katz and Mouse Game:  MaaS Infostealers Adapt to Patched Chrome Defenses

Author

Jia Yu Chan

Articles

You've Got Malware: FINALDRAFT Hides in Your Drafts

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses