FINALDRAFT Malware

FINALDRAFT is a sophisticated malware written in C++, designed to exfiltrate data and inject malicious code into processes. This advanced malware is often delivered through another malicious program known as PATHLOADER, which serves as its dropper. Once executed, FINALDRAFT communicates with a command-and-control (C2) server using Microsoft Graph API through Outlook, allowing attackers to remotely control the infected system.

FINALDRAFT is equipped with over 30 command handlers, enabling attackers to execute malicious tasks such as process injection, file manipulation, network proxying, and system monitoring. Additionally, it can maintain persistence on an infected system by storing a key in the Windows registry, ensuring that it remains active even after a system reboot.

Interestingly, there is also an ELF version of FINALDRAFT for Linux, which operates differently from the Windows variant, using different communication protocols and fewer features.

---

FINALDRAFT Malware: Threat Summary Table

Attribute	Details
Threat Name	FINALDRAFT Malware
Threat Type	Malware, Data Exfiltration, Process Injection
Detection Names	Avast (Win64:AutoHotLoader-A [Drp]), Combo Cleaner (Generic.ShellCode.RDI.Marte.10.793299A0), Emsisoft (Generic.ShellCode.RDI.Marte.10.793299A0 (B)), Kaspersky (HEUR:Trojan.Multi.Shellcode.gen), Symantec (Trojan Horse), and more on VirusTotal
Symptoms of Infection	No obvious signs (stealthy Trojan), possible high CPU/network usage, suspicious Outlook activity, unauthorized process injections
Damage	Stolen credentials, banking information theft, identity theft, botnet enlistment, process injection attacks, file manipulation, persistence via registry keys
Distribution Methods	Infected email attachments, malicious advertisements, social engineering, software ‘cracks’
Danger Level	Severe – Allows attackers full control over the infected system

---

How FINALDRAFT Malware Works

Once installed, FINALDRAFT performs the following malicious activities:

• System Information Gathering: The malware collects details such as computer name, username, IP addresses, and running processes, then sends this data to the attacker's command-and-control server.
• Process Injection: FINALDRAFT can inject malicious code into legitimate Windows processes or launch new hidden processes to run its payload stealthily.
• File Manipulation:
  • Downloading/uploading files from the infected system.
  • Moving and securely deleting files (overwrites deleted files with zeros to prevent recovery).
  • Cluster-level data copying for bypassing file access restrictions.
• Network Proxying: The malware can act as a proxy, rerouting malicious network traffic through the infected system.
• PowerShell Execution Bypass: A special module allows FINALDRAFT to execute PowerShell commands undetected, bypassing security restrictions.
• Pass-the-Hash Attacks: Attackers can use stolen credentials to run commands with elevated privileges on the infected machine.
• Persistence Mechanisms:
  • Stores a key in the Windows registry to ensure it stays active after reboots.
  • Can download additional modules for extended functionality.

---

How to Remove FINALDRAFT Malware from Your System

Removing FINALDRAFT manually can be challenging due to its stealth techniques and registry persistence. The best approach is to use a professional anti-malware tool like SpyHunter. Follow the steps below for complete removal.

Step 1: Reboot into Safe Mode with Networking

1. Restart your computer and press F8 (on older systems) or Shift + Restart (on Windows 10/11).
2. Select Safe Mode with Networking to prevent malware from running in full capacity.

Step 2: Use SpyHunter to Scan and Remove FINALDRAFT

1. Download SpyHunter.
2. Install and launch SpyHunter.
3. Click on "Start Scan Now" and allow it to detect FINALDRAFT and related malware.
4. Once the scan is complete, click "Fix Threats" to remove all malicious files.

Step 3: Manually Remove FINALDRAFT’s Registry Entries (Advanced Users)

Warning: Editing the Windows registry can be risky. Proceed with caution.

1. Press Win + R, type regedit, and press Enter.
2. Navigate to:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3. Look for suspicious entries linked to FINALDRAFT.
4. Right-click and delete them.
5. Also, check:

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

6. Delete any entries related to FINALDRAFT.

Step 4: Delete Malicious Files and Folders

1. Press Win + E to open File Explorer.
2. Go to:

   C:\ProgramData\
   C:\Users\<Your Username>\AppData\Local\
   C:\Users\<Your Username>\AppData\Roaming\

3. Look for suspicious folders/files and delete them.

Step 5: Reset Web Browsers

FINALDRAFT may affect browsers to steal credentials.

1. Open Google Chrome → Click the three dots → Settings.
2. Scroll to Reset settings → Restore settings to their original defaults.
3. Repeat this for Firefox, Edge, and other browsers.

---

How to Prevent FINALDRAFT Malware Infections

To protect your system from future infections, follow these security best practices:

1. Avoid Suspicious Email Attachments
   • Don’t open attachments from unknown senders.
   • Verify email addresses before clicking links.
2. Use a Strong Antivirus Solution: Keep SpyHunter or another real-time anti-malware tool active.
3. Keep Your System and Software Updated: Regularly install Windows and application security patches.
4. Disable Macros in Microsoft Office: Many malware campaigns spread through malicious Word or Excel macros.
5. Use Multi-Factor Authentication (MFA): Adds an extra security layer to your accounts.
6. Regularly Backup Your Files: Use an offline backup drive or a cloud-based service.
7. Enable Windows Defender Firewall: Blocks unauthorized network connections.

---

Final Thoughts

FINALDRAFT is a highly advanced data-stealing and process-injecting malware, capable of allowing attackers full control over an infected system. Since it operates stealthily, traditional antivirus solutions may struggle to detect it. Using a dedicated anti-malware tool like SpyHunter is the best way to remove FINALDRAFT and protect your system from future infections.

Implementing strong cybersecurity practices—such as avoiding phishing emails, keeping software updated, and using multi-factor authentication—can greatly reduce the risk of infection.