Specula tool utilizes a Registry to turn Microsoft Outlook Into a C2 Server capable of executing arbitrary commands.
Fundamentally, Specula is a C2 framework that uses the Outlook home page feature. It exposes the ability to develop a home page capable of attacking this vector.
This ability to exploit the Outlook home page has been disclosed and identified as CVE-2017-11774.
This vulnerability allows an attacker to execute arbitrary commands due to how Microsoft Office handles objects in memory, identified as “Microsoft Outlook Security Feature Bypass Vulnerability.”
FireEye first noticed APT34 leveraging CVE-2017-11774 in June 2018. APT33 then adopted it for a much larger campaign that started in July 2018 and lasted for at least a year.
Microsoft fixes the vulnerability by modifying the way Microsoft Outlook manages memory objects.
Unfortunately, even in current Office 365 installations, Outlook continues to use the Registry values that would have been set when the removed UI elements were used.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
“If an attacker can modify a single non-privileged Registry key, a C2 channel can be established despite it being thought to be a patched technique”, TrustedSec researchers said.
Setting The Registry Value
A graphical depiction demonstrates how to establish the required Registry value for first access.
Researchers say that if any Registry keys described by Microsoft in their workaround are used to define a custom home page, Outlook will download and display that HTML page when the relevant tab is selected, rather than the standard mailbox elements (inbox, calendar, sent, etc.).
Jscript and VBScript are run from the downloaded HTML page in a privileged context, granting them nearly complete access to the local system, just like script or wscript.exe would.
Certain restrictions may prevent this degree of access, although they are also managed via Registry keys that are accessible to non-privileged users.
“The resources rendered and returned via Specula allow for execution of vbscript within a trusted context. Full access is also allowed to any COM object that exposes methods via an IDispatch interface”, researchers said.
Although the Outlook Registry must initially be compromised on a device, once it is, attackers can leverage this technique to stay active on the targeted device and disseminate widely.
Hence, if a URL value is added or already exists under HKCUSoftwareMicrosoftOffice16.0OutlookWebView, it is recommended to set up monitoring.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access