New Specula Tool Turning Outlook as a C2 Server by Leveraging Registry

Cybersecurity firm TrustedSec has unveiled a powerful new tool called Specula. It exploits a longstanding vulnerability in Microsoft Outlook to transform it into a Command and Control (C2) server.

This revelation has sent shockwaves through the cybersecurity community, highlighting a persistent weak point in many corporate networks.

The Specula Framework

Specula leverages a seemingly innocuous Registry change to modify Outlook’s behavior, becoming a beaconing C2 agent. Although this technique has been reported in the past, many organizations continue to overlook it.

TrustedSec’s release of Specula aims to bring more attention to this vulnerability and encourage the development of robust preventions.

The ability to exploit the Outlook home page feature was initially reported under CVE-2017-11774.

How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide

Although Microsoft issued patches that removed the UI elements for setting a custom home page, the underlying Registry values remained functional.

This oversight allows attackers to set a custom home page via Registry keys, enabling the execution of malicious scripts within Outlook.

When a custom home page is set through specific registry keys, Outlook downloads and displays an HTML page instead of the standard mailbox elements.

This HTML page can run VBScript or JScript within a privileged context, granting attackers significant control over the local system. Specula automates this process, allowing for continuous command execution without manual intervention.

Preventing Home Page Attacks

To mitigate this threat, TrustedSec recommends several measures:

1. Adopt the New Outlook: The new version operates as a packaged web page, lacking compatibility with COM extensions and effectively removing the exploit vector.
2. Disable VBScript: Future versions of Windows 11 will allow the removal of the VBScript engine, crippling this attack vector.
3. Use Group Policy Object (GPO): Configure GPO to disable WebView and prevent users from setting custom home pages.
4. Leverage Microsoft Security Compliance Toolkit: This toolkit can lock down Outlook’s web engine, preventing script execution.

Detecting Home Page Attacks

Organizations should monitor the Registry for URL values under specific keys related to Outlook’s WebView feature. These keys include:

• HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Inbox
• HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Calendar
• HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Contacts
• And similar keys for other Outlook versions and folders.

The release of Specula by TrustedSec underscores the importance of vigilance in cybersecurity.

While the tool powerfully reminds us of potential risks, it also calls on organizations to review and strengthen their defenses against such vulnerabilities.

As the cybersecurity landscape continues to evolve, staying informed and proactive is crucial to safeguarding sensitive information and maintaining network integrity.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access