New Specula tool uses Outlook for remote code execution in Windows
A new post-exploitation framework called “Specula” was released by cybersecurity firm TrustedSec, which can turn Microsoft Outlook into a command and control (C2) beacon to remotely execute code.
The C2 framework works by creating a custom Outlook Home Page using WebView, exploiting CVE-2017-11774, an Outlook security feature bypass vulnerability patched in October 2017. Despite the patch, attackers can still create malicious home pages using Windows Registry values.
To do this, non-privileged threat actors can set a URL target in Outlook’s WebView registry entries to an external website under their control. The attacker-controlled Outlook home page serves custom VBscript files that can be used to execute arbitrary commands on compromised Windows systems.
TrustedSec has been able to leverage this technique for initial access in hundreds of clients, despite existing knowledge and preventions. This technique allows attackers to evade software and use Outlook.exe as a trusted process.
In the past, this vulnerability was used by the Iranian-sponsored APT33 cyber espionage group to target US government agencies. It was first observed by FireEye in June 2018 and continued for at least a year.
As a mitigation, one suggestion is to preemptively create the “Webview” key and set its permissions to Administrators only.
Source: https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outlook-for-remote-code-execution-in-windows/