Beyond good ol’ Run key, Part 33

October 20, 2015 in Anti-*, Autostart (Persistence), Batch Analysis, Clustering, Compromise Detection, Forensic Analysis, Malware Analysis

There is a secret place in almost every organization utilizing Microsoft Outlook where malware can hide.

Persistently.

The pros: no one checks it.

The cons: there is no API to make it easily work (directly).

About the cons – one has to either install the malware manually, or employ some sort or macro / autoit / sending messages trickery. Direct access /via code/ is also possible, but we have yet to find someone brave enough to reverse MAPI and internal interfaces of Outlook that can automate this process.

I am of course talking about the mechanism of executing program as a part of Outlook Rules.

Here is a simple example of running a calc.exe anytime someone receives the message:

outlook1Yup. It’s that simple. It’s not visible in Registry, it’s not visible on the file system level. I am not even sure if any of the PST reading solutions out there can read theses rules somehow…

And how to add these?

As I said, there is no actual interface at the moment known, but one can employ macros, sending messages, etc.. One can also use the convenient mechanism that allows importing of the rules via Outlook:

outlook2

If you are eager to reverse engineer these, look at the API OpenStreamOnFileW. Enough said 🙂

Share this :)

Comments are closed.