Cybersecurity researchers have uncovered a sophisticated and dangerous malware known as FINALDRAFT. Written in C++, FINALDRAFT is specifically designed for data exfiltration, process injection, and system manipulation. The malware is typically delivered through another malicious program called PATHLOADER. Once executed, FINALDRAFT establishes a connection with a command-and-control (C2) server via the Microsoft Graph API using Outlook. Infected systems can be controlled remotely, with attackers able to execute a wide variety of malicious operations.
Threat Summary: FINALDRAFT Malware
To better understand FINALDRAFT, here’s a summary of its key characteristics:
| Attribute | Details |
|---|---|
| Name | FINALDRAFT |
| Threat Type | Malware (Data Exfiltration, Process Injection) |
| Detection Names | Avast (Win64:AutoHotLoader-A [Drp]), Combo Cleaner (Generic.ShellCode.RDI.Marte.10.793299A0), Emsisoft (Generic.ShellCode.RDI.Marte.10.793299A0 (B)), Kaspersky (HEUR:Trojan.Multi.Shellcode.gen), Symantec (Trojan Horse) |
| Symptoms | No visible symptoms; operates stealthily |
| Distribution Methods | Infected email attachments, malicious ads, social engineering, software cracks |
| Damage | Stolen passwords, identity theft, unauthorized access, botnet enlistment |
| Danger Level | High |
Download SpyHunter Now & Scan Your Computer For Free!
Remove this and any other malicious threats to your system by scanning your computer with SpyHunter now! It’s FREE!
Understanding FINALDRAFT Malware
FINALDRAFT is a highly advanced piece of malware that uses various sophisticated techniques to infiltrate and compromise systems. Let’s break down its core functionalities:
Data Exfiltration
The primary function of FINALDRAFT is data exfiltration. Once installed, it collects sensitive information, including:
- Computer name
- Username
- IP addresses
- Running process details
- Passwords and banking credentials
Process Injection
FINALDRAFT uses process injection to execute malicious code in legitimate processes. This allows it to remain hidden from security software and perform various operations without detection.
Command-and-Control Communication
FINALDRAFT communicates with a C2 server using the Microsoft Graph API through Outlook. It maintains communication by storing a registry key that helps it interact with the C2 server covertly.
File Manipulation
The malware can manipulate files by:
- Copying files using standard and low-level disk cluster copying methods
- Deleting files securely by overwriting data with zeros to prevent recovery
Network Enumeration
FINALDRAFT includes a network enumeration module that gathers information about network infrastructure and transmits it through a password-protected communication channel.
Stealthy PowerShell Execution
By bypassing standard security mechanisms, FINALDRAFT can execute PowerShell commands in the background, often without triggering alerts.
Pass-the-Hash Attacks
FINALDRAFT employs a Pass-the-Hash technique to reuse stolen credentials, allowing attackers to execute processes with higher privileges.
Cross-Platform Capability
An ELF version of FINALDRAFT exists for Linux systems. While this variant has fewer features than the Windows version, it still poses a significant threat.
How FINALDRAFT Infects Devices
The most common methods used to distribute FINALDRAFT include:
- Phishing Emails: Infected attachments or malicious links in seemingly legitimate emails.
- Malicious Advertisements (Malvertising): Online ads that, when clicked, initiate malware downloads.
- Social Engineering: Manipulating victims into downloading malicious files.
- Software Cracks and Pirated Software: Malware is often bundled with cracked or pirated software.
The Impact of a FINALDRAFT Infection
FINALDRAFT poses several risks to infected systems, including:
- Data Theft: Sensitive data, including credentials and banking information, is stolen.
- Identity Theft: Stolen information may be used for identity fraud.
- Unauthorized Access: Attackers gain full control over compromised systems.
- Botnet Recruitment: Infected machines can become part of a botnet, used for large-scale cyberattacks.
How to Remove FINALDRAFT Malware
Step 1: Reboot in Safe Mode
- Restart your computer.
- Press F8 (or Shift + F8) repeatedly before Windows boots.
- Select Safe Mode with Networking.
Step 2: Terminate Suspicious Processes
- Press Ctrl + Shift + Esc to open Task Manager.
- Look for unusual processes (e.g., unknown names or high resource usage).
- Right-click the process and select End Task.
Step 3: Delete Malicious Files
- Open File Explorer.
- Navigate to C:\Windows\Temp and C:\Users[Your Username]\AppData\Local\Temp.
- Delete suspicious files.
Step 4: Remove Registry Entries
- Press Windows + R, type regedit, and press Enter.
- Navigate to:
HKEY_LOCAL_MACHINE\SoftwareHKEY_CURRENT_USER\Software
- Remove any suspicious entries related to FINALDRAFT.
Step 5: Run SpyHunter Scan
- Download SpyHunter.
- Install and launch the application.
- Run a full system scan.
- Once the scan completes, click Fix Threats to remove FINALDRAFT.
Preventing FINALDRAFT and Similar Malware
- Be Cautious with Emails: Avoid clicking on links or downloading attachments from unknown senders.
- Regular Software Updates: Keep your operating system and software updated to patch security vulnerabilities.
- Use Reliable Security Software: Invest in a reputable antivirus solution like SpyHunter.
- Avoid Pirated Software: Download software only from trusted sources.
- Practice Safe Browsing: Use ad-blockers to minimize exposure to malicious advertisements.
Conclusion
FINALDRAFT malware represents a significant threat to both individuals and organizations due to its advanced capabilities in data exfiltration and system control. By understanding its functionality, recognizing its potential damage, and following our detailed removal guide with SpyHunter, users can effectively protect their systems. Proactive security practices are essential in mitigating the risks posed by sophisticated threats like FINALDRAFT.
Free Scan Available