I recently read about different tactics used by threat actors to propagate their malware across a network. Specifically, the DYRE banking trojan, spread through a targets network by using the Messaging Application Programming Interface (MAPI) on Windows systems. This native Windows API provides the functionality to access a user’s Outlook mailbox, and send e-mails on their behalf. A worm deployed by DYRE used this access to craft phishing e-mails, attach copies of DYRE, and send e-mails to target addresses identified in remote C&C servers. I thought this was an interesting method of movement. There are some advantages to this:
- Bypassing E-Mail protection on the border (Content-Filters, Domain Reputation, etc.)
- Less suspicion with a legitimate internal email address.
- Looking through the victims e-mail can provide specific and detailed pre-text to internal phishing attacks.
- Emails may also contain sensitive content (passwords, PII, etc.)
Since I love PowerShell so much, I thought it would be cool to create a small tool to mimic some of what the DYRE malware does. PowerShell can easily access the MAPI through an Outlook ComObject; and then EmailRaider was born……
EmailRaider Overview
EmailRaider is a collection of PowerShell functions that will allow you to search through an individuals mailbox, or manually browse. There are also functions that allow you to send emails with embedded links or attachments.
Functions
Disable-SecuritySettings : This function will attempt to set/create the following registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\15.0\Outlook\Security
DWORD: ObjectModelGuard
Value: 2
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\outlook\security
DWORD: PromptOOMSend
Value: 2
DWORD: AdminSecurityMode
Value: 3
The path will change slightly depending on the version of Outlook:
16.0 = Outlook 2016
15.0 = Outlook 2013
14.0 = Outlook 2010
12.0 = Outlook 2007
These registry keys must be set/created in order to disable the programmatic access prompt that appears whenever the MAPI namespace is called. There is one caveat to this function. It does require the user to have permission to edit the registry. Which most likely means it requires administrative privileges. You can pass credentials of an administrator as arguments to this function.
NOTE: AV also needs to be installed and up to date on the host. If not, regardless of registry settings, the prompt still appears.
Get-SMTPAddress : Returns the primary SMTP address in Outlook for the current user. You can also pass a contact’s first and last name as an argument.
Invoke-MailSearch : This function conducts a multi-threaded search on the selected Outlook default folder for any emails containing the keyword specified in the subject or in the body of the email. The MaxSearch and MaxResults parameters allow you to specify the total number of emails to search and the total results to return respectively. This doesn’t seem to work well with Outlook 2007 if you try lessen the amount of emails searched or returned (weird right?). Depending on the total number of e-mails in a folder, this could take a long time. It does work flawlessly in Outlook 2013 (haven’t tested 2010).
Since searching through an Outlook folder with thousands of e-mails isn’t a time-efficient task, I added in some functions that will allow for browsing.
View-Email : This selects the specified folder from the FolderName argument and then displays the EmailItem at the selected index.
Get-OutlookFolder : This function returns a folder ComObject for the Outlook default (top-level) folder that you specify.
Get-EmailItems : This function is similar to View-Email except that it returns all of the e-mails for the specified folder. You can also specify the number of emails to return.
Examples:
Get-OutlookFolder -Name "Inbox" | Get-EmailItems -MaxEmails 100
Returns the first 100 e-mails in the Inbox
Get-SMTPAddress -FullName "Pablo Escobar", "Bob Evans","Ronda Roads" | Invoke-SendMail -Subject "TPS Report" -Body "Please find the latest TPS report attached" -Attachment .\TPS_report.rtf
Retrieve the Primary SMTP Address for each person, then pipe the address into Invoke-SendMail as targets.
Get-SubFolders -DefaultFolder "Inbox" -FullObject | Where-Object {$_.Name -eq "TemporaryAccountPasswords"} | Get-EmailItems -MaxEmails 20
Return the SubFolder of Inbox named TemporaryAccountPasswords and pipe that folder to Get-EmailItems. Then return the first 20 emails in the folder.
All of the code is available on GitHub.