The new Specula red team framework, unveiled by cybersecurity firm TrustedSec, demonstrates how Microsoft Outlook can be exploited to function as a command and control (C2) beacon for remote code execution on Windows systems.
Specula utilizes a vulnerability in Outlook, identified as CVE-2017-11774, which was patched by Microsoft in October 2017. This vulnerability involves a bypass of Outlook’s security feature that allowed attackers to set a custom Outlook Home Page via WebView, even after the patch.
TrustedSec's Specula framework operates by creating a custom Outlook home page using Windows Registry values. This setup enables attackers to execute arbitrary commands through a remote Python web server.
The framework targets Outlook's WebView registry entries located at HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\WebView\. Attackers can set these registry entries to point to an external site they control, which then serves malicious VBScript files.
These custom home pages are designed to run VBScript or JScript within Outlook, granting attackers nearly full access to the compromised system, as if executing commands through cscript.exe or wscript.exe.
Once a system is compromised and the Outlook registry entry is configured, attackers can use this method for persistent access and lateral movement across networks. The trusted nature of the Outlook process helps attackers evade detection by existing security software.
Historically, CVE-2017-11774 was exploited by various threat actors, including the Iranian-sponsored APT33 group, to target U.S. government agencies and other entities. This vulnerability was notably used by APT33 in broad campaigns starting in mid-2018, as documented by FireEye.
Organizations should be aware of this vulnerability and its exploitation techniques. It's crucial to monitor and secure Outlook configurations and registry settings to prevent misuse. Regular updates and vigilance against suspicious activity are essential to mitigate the risks associated with such sophisticated attacks.
