A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Breadcrumb Home Insights Source Zero BadOutlook for C2 March 18, 2021 BadOutlook for C2 BadOutlook is a command and control (C2) technique that leverages Microsoft Outlook’s COM interface for communication. There are a handful of ways to detect malware, including antivirus (AV), endpoint detection and response (EDR) and network analysis. As a result, researchers spend a lot of time looking for ways to evade AV and EDR detection, from unhooking to the usage of more exotic API calls. This is in addition to research looking at new ways of defeating network detection techniques and finding evasive communication channels. With respect to network evasion, much public research explores the usage of websites, custom protocols and so on. What is the constant in these situations? Implants (i.e. your malicious code) either opens a port on the target system or makes outbound communication to the command and control servers. One technique rarely explored is C2 without direct network communication. The challenge now becomes how to send commands to our implant without having to communicate with it directly. Concept According to Microsoft, the Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's Object Linking & Embedding (OLE) and ActiveX (Internet-enabled components) technologies. In other words, COM is simply a way for two programs to talk to each other. Have you ever embedded an Excel spreadsheet inside of a Word document? This is a common scenario in which COM was designed to perform. Numerous Microsoft products possess COM interfaces that allow other applications to interact with them. This includes Word, Excel and the subject of this blog, Outlook. Outlook has a COM interface which, according to the documentation, “Represents the entire Outlook application.” The Outlook COM interface allows programs to do anything from checking mailboxes and calendars to sending emails. To state this simply, anything an end user can do in the main graphical user interface (GUI), can also be executed through the COM interface. This post explores how I built an implant that monitors the Outlook client for C2 instructions while not requiring external (e.g. Internet) communication to operate. Proof of Concept BadOutlook leverages the COM interface to poll the specified Outlook folder at a predetermined interval. In this example, we poll the Inbox folder every 10 seconds to look for the subject line “testtesttest2.” Once BadOutlook identifies the triggered subject line, it will read the content of the email body containing base64 encoded shellcode and execute it. This proof of concept within itself is not intended to be fully evasive, but rather is a new method that can be utilized in your malware development. Additionally, Matthew Eidelberg’s research can be used to execute this technique evasively. Below you can find screenshots of the tool in action: Image Figure 1: Polling the Outlook Client for the Trigger Subject Line Image Figure 2: Email Containing the Trigger Subject Line and Base64 Encoded shellcode Image Figure 3: Trigger Email in Inbox Awaiting Execution Image Figure 4: Trigger Email and Shellcode Executed Resulting in an Interactive Command Prompt Given the functionality available in Office products, its possible for adversaries to leverage Outlook's COM interface in attacks for extended persistence. As the implant does not require traditional outbound communication for its instructions (e.g. POST calls), blue teams may struggle with network-based detections. Outlook does produce an alert when outside programs attempt to leverage the COM interface and access Outlook. Organizations should consider configuring rules or checks to identify instances where the registry key exists to disable this alerting functionality. References: https://github.com/optiv/BadOutlook By: Ali S. Ahmad Ali S. Ahmad | Consultant II Ali Ahmad is a Security Consultant in Optiv’s Threat Management Team (Attack and Penetration specialization). His primary roles include executing of perimeter and internal network penetration tests and research and development of windows malware samples. Share: Penetration Testing Source Zero® Red Team Malware Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com
Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com
Would you like to speak to an advisor? Let's Talk Cybersecurity Provide your contact information and we will follow-up shortly. Let's Browse Cybersecurity Just looking? Explore how Optiv serves its ~6,000 clients. Show me AI Security Solutions Show me the Optiv brochure Take me to Optiv's Events page Browse all Services