Threat Research

C2 Communications Through outlook.com – SANS Internet Storm Center

Securonix

A malware dropper uses Outlook.com email as its command-and-control channel, polling a mailbox via IMAP and exfiltrating results back through email. The Python-based dropper decrypts a payload with AES, executes commands via a shell, and uses base64/ROT13 encoding to conceal communications. #OutlookCom #IMAP #SMTP #C2 #Python #AES #Base64 #ROT13

Keypoints

  • The article discusses C2 communications over email (specifically Outlook/IMAP/SMTP) as an alternative to HTTP(S).
  • A malicious Python dropper decrypts and loads a payload, showing references to AES and ROT13 in code.
  • The dropper polls an Outlook mailbox by logging into imap-mail.outlook.com and reading messages (subject “outdoor:”).
  • Command and control commands can be issued via email (e.g., “cmd”, “download”, “upload”, “forcecheckin”).
  • Executed commands run through a shell (Popen with shell=True) and the results are sent back encoded (base64) via email.
  • IMAPS/SMTP are often blocked on corporate networks, but email-based C2 can still be effective if the official email platform is reachable.
  • The author notes difficulty verifying credentials and invites more information; a VirusTotal hash is cited for the dropper.

MITRE Techniques

  • [T1071.003] Mail protocols – The C2 uses IMAP/SMTP to receive commands and send results via email. ‘The script opens an IMAPS connection to Microsoft outlook.com, fetches messages from the inbox folder (with the subject “outdoor:”)…’
  • [T1059.006] Python – The dropper is a Python script and includes inline code that executes commands, e.g., ‘Popen ( self . command , shell = True , stdout = PIPE , stderr = PIPE , stdin = PIPE )’.
  • [T1027] Obfuscated/Compressed Information – The payload is encrypted and transformed inside the dropper, as shown by ‘S = VVV.decrypt(zlib.decompress(base64.urlsafe_b64decode(S))).encode(“rot13”) exec S’.
  • [T1132] Data Encoding – Output and/or payloads are base64-encoded before transmission, e.g., ‘output is sent back (base64 encoded) via email’.

Indicators of Compromise

  • [Email] [email protected] – credential/email address used by the script.
  • [Domain] smtp-mail.outlook.com, imap-mail.outlook.com – mail servers referenced in the dropper.
  • [Hash] a83c2dcfda088cb363e5d5867133b24f5f82e535335642f602b8eb67bd7e3d70 – dropper file hash discussed in the article.
  • [URL] https://www.virustotal.com/gui/file/a83c2dcfda088cb363e5d5867133b24f5f82e535335642f602b8eb67bd7e3d70/detection – VirusTotal detection page for the dropper hash.

Read more: https://isc.sans.edu/diary/C2+Communications+Through+outlookcom/29180/