New ‘Specula’ Tool Exploits Outlook for Remote Code Execution

July 29, 2024

TrustedSec, a cybersecurity firm, has unveiled a new red team post-exploitation framework known as 'Specula'. This framework can transform Microsoft Outlook into a C2 beacon, enabling remote execution of code. The method involves exploiting CVE-2017-11774, a vulnerability in Outlook's security feature that was patched in October 2017.

Microsoft explains that in a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability, and then convince users to open the document file and interact with the document. Despite a patch being released for the flaw and the user interface for displaying Outlook home pages being removed, it is still possible for attackers to create malicious home pages using Windows Registry values. This is possible even on systems where the latest Office 365 builds are installed.

Specula operates entirely in the context of Outlook. It works by setting a custom Outlook home page via registry keys that connect to an interactive Python web server. Non-privileged threat actors can set a URL target in Outlook's WebView registry entries to an external website under their control. The attacker-controlled Outlook home page is designed to serve custom VBscript files that an attacker can use to execute arbitrary commands on compromised Windows systems.

TrustedSec states, 'TrustedSec has been able to leverage this specific channel for initial access in hundreds of clients despite the existing knowledge and preventions available for this technique.' Once a custom home page is set by any of the Registry keys outlined by Microsoft, Outlook will download and display that HTML page instead of the normal mailbox element. As a result, VBscript or jscript can run within a privileged context with full access to the local system.

While a device first needs to be compromised to configure the Outlook Registry entry, once configured, attackers can use this technique for persistence and to spread laterally to other systems. Since outlook.exe is a trusted process, it makes it easier for attackers to evade existing software as commands are executed.

US Cyber Command warned five years ago that the CVE-2017-11774 Outlook vulnerability was also used to target U.S. government agencies. Security researchers from Chronicle, FireEye, and Palo Alto Networks later linked these attacks to the Iranian-sponsored APT33 cyber espionage group. As FireEye cybersecurity researchers stated, 'FireEye first observed APT34 use CVE-2017-11774 in June 2018, followed by adoption by APT33 for a significantly broader campaign beginning in July 2018 and continuing for at least a year.'

Latest News

• Ransomware Gangs Actively Exploiting VMware ESXi Auth Bypass Vulnerability: Microsoft Warns
• Massive 'PKFail' Secure Boot Bypass Threatens Millions of Devices
• Acronis Alerts Users on Cyber Infrastructure Default Password Exploitation
• High-Severity DoS Vulnerabilities in BIND Software Suite Addressed by ISC
• Exploitation of Critical ServiceNow Flaws for Data Theft: A Rising Concern