Home Insights Source Zero BadOutlook for C2 March 18, 2021 BadOutlook for C2 BadOutlook is a command and control (C2) technique that leverages Microsoft Outlook’s COM interface for communication. There are a handful of ways to detect malware, including antivirus (AV), endpoint detection and response (EDR) and network analysis. As a result, researchers spend a lot of time looking for ways to evade AV and EDR detection, from unhooking to the usage of more exotic API calls. This is in addition to research looking at new ways of defeating network detection techniques and finding evasive communication channels. With respect to network evasion, much public research explores the usage of websites, custom protocols and so on. What is the constant in these situations? Implants (i.e. your malicious code) either opens a port on the target system or makes outbound communication to the command and control servers. One technique rarely explored is C2 without direct network communication. The challenge now becomes how to send commands to our implant without having to communicate with it directly. Concept According to Microsoft, the Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's Object Linking & Embedding (OLE) and ActiveX (Internet-enabled components) technologies. In other words, COM is simply a way for two programs to talk to each other. Have you ever embedded an Excel spreadsheet inside of a Word document? This is a common scenario in which COM was designed to perform. Numerous Microsoft products possess COM interfaces that allow other applications to interact with them. This includes Word, Excel and the subject of this blog, Outlook. Outlook has a COM interface which, according to the documentation, “Represents the entire Outlook application.” The Outlook COM interface allows programs to do anything from checking mailboxes and calendars to sending emails. To state this simply, anything an end user can do in the main graphical user interface (GUI), can also be executed through the COM interface. This post explores how I built an implant that monitors the Outlook client for C2 instructions while not requiring external (e.g. Internet) communication to operate. Proof of Concept BadOutlook leverages the COM interface to poll the specified Outlook folder at a predetermined interval. In this example, we poll the Inbox folder every 10 seconds to look for the subject line “testtesttest2.” Once BadOutlook identifies the triggered subject line, it will read the content of the email body containing base64 encoded shellcode and execute it. This proof of concept within itself is not intended to be fully evasive, but rather is a new method that can be utilized in your malware development. Additionally, Matthew Eidelberg’s research can be used to execute this technique evasively. Below you can find screenshots of the tool in action: Image Figure 1: Polling the Outlook Client for the Trigger Subject Line Image Figure 2: Email Containing the Trigger Subject Line and Base64 Encoded shellcode Image Figure 3: Trigger Email in Inbox Awaiting Execution Image Figure 4: Trigger Email and Shellcode Executed Resulting in an Interactive Command Prompt Given the functionality available in Office products, its possible for adversaries to leverage Outlook's COM interface in attacks for extended persistence. As the implant does not require traditional outbound communication for its instructions (e.g. POST calls), blue teams may struggle with network-based detections. Outlook does produce an alert when outside programs attempt to leverage the COM interface and access Outlook. Organizations should consider configuring rules or checks to identify instances where the registry key exists to disable this alerting functionality. References: https://github.com/optiv/BadOutlook By: Ali S. Ahmad Ali S. Ahmad | Consultant II Ali Ahmad is a Security Consultant in Optiv’s Threat Management Team (Attack and Penetration specialization). His primary roles include executing of perimeter and internal network penetration tests and research and development of windows malware samples. Share: Penetration Testing Source Zero Red Team Malware Copyright © 2021 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com Related Insights Image EDR and Blending In: How Attackers Avoid Getting Caught February 03, 2021 Even when the hooks are removed, defenders can still leverage other EDR functions, such as host isolation for incident triage or remote. See Details Blog Image Digging Your Talons In – New Take On Password Guessing June 19, 2020 Talon automates a password guessing technique targeting Kerberos and LDAP within the Windows Active Directory environment. See Details Blog Image Tearing Down Azure Resources and Replying to Emails Using Power Automate Flows and Azure Runbooks November 04, 2020 How to use Power Automate flows and Azure runbooks to tear down Azure resources and reply to emails – Dan Kiraly explains in part 7 of the series. See Details Blog How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.