Shedding Light on Web Isolation Technologies and Their Bypass Techniques: C2 Communication via Outlook Using SMTP and IMAP

Good afternoon and welcome to Bides Las Vegas Breaking Ground. This talk will be given by Torata U. A few announcements before we begin. We'd like to thank our sponsors, especially our diamond sponsors, Adobe and Aikido, and our golden sponsors, Formal and Drop Zone AI. It is their support along with our other sponsors, donors, and volunteers that make this event possible. These talks are being streamed live and as a courtesy to our speakers and audience, we ask that you check to make sure your cell phones are set to silent. Enjoy the talk. >> Okay. Uh thank you for introducing and thank you for giving me a wonderful opportunity to talk about my research for the first time. Uh today's talk talk

title is shedding light on web isolation technologies and their bypass techniques. So I will focus on uh web isolation uh that is not so familiar uh solutions. So that's why I hope you enjoy it. Uh let me quickly introduce myself. Uh I'm ter security researcher for Fujitsu and uh five years as a security analyst for a bank and uh three years as a security researcher and a speaker for black hat and cod and so on and sometimes I do internal reting and cyber exercise. Uh today's to talk is based on the experience for security analyst for a bank because uh that bank is used uh web isolation technology. So that's why today's talk is based on the security

analyst for bank. Uh this is the outline of my talk. Uh first I will talk about the web isolation technology. Uh so what what is a web isolation technology and what is the threats for web isolation technology. And the second I will talk about email exploit technique. So what kind of technique exist and what kind of malware or actors uh you abuse email email. And the third one is a demonstration of my developed tool uh outlook situ. And the last one is how to mitigate and detect such kind of attack technique. This is outline. Okay. So let me talk what what is a web isolation technology. So web isolation technology uh it if I explain this solution in a one word it's

a kind of virtual browser. So web isolation technology ensures secure web browsing by executing a web content in a remote and isolated environment. [snorts] So users interact with a safe visual image of web page. Uh so this is a graph visual image of web isolation. So without a web isolation uh then malicious web content like malicious javascript or malware can be leached to end end users directory. uh but with with uh web isolation technology just only visual image can be reached to end users uh so that's why users just only interact with visual image only so that's why malware or malicious web javascript cannot be reached to web end users so that is the biggest advantage

of web isolation and actually in my opinion web isolation is one of the strongest cyber security solution to protect end users in my opinion. But so let me explain why it's so secure. So the biggest advantage is HTTPS traffic from clients can be blocked by firewall. So as I mentioned just only visually image is only transferred to uh end users. So that's why end users does not need to uh communicate uh with internet over HTTP or HTTPS. So that's why we can add the deny firewall. We can add the deny rules of HTTP or HTTPS by firewall. So that is the biggest advantage. So that's why typical attacks such as downloading malware through HTTP by word

file like macro or BBA can almost all of them can be blocked by firewall. So that is the biggest advantage and actually when I worked for bank as a security analyst actually most security alerts of workstation were closed due to no impact as HTP requests were blocked by the firewall. So that's why I think it is one of the strongest cyber security solution in my opinion. Actually there's a disadvantage as well because one is little bit response time is little bit slow. So just only visual image is transfer to end users. So that's why compared to direct HTP communication it's a little bit slower. So that is a disadvantage and and web scraping is not possible and

web isolation technology because https traffic is blocked by firewall. So that that's why web scraping is blocked or we need to ask firewall guides to allow that domain on firewall. So that is a disadvantage and also installation is difficult. So these days most inst software installers require internet access uh during setup. So that's why just so we need to prepare offline installer and web isolation technology. So that's why they are kind of disadvantage and also from my past experiments not related to web isolation but I ex I had I I had a experience to have a development laptop with no external connectivity except for email. So when I worked for a bank and when I

developed the banking system so that of course I need to I need I would like to do browsing in such cases I need to check the error error message for my email and I need to send the email content by my development laptop by email. So yeah it's very old type development style but yeah such develop style existed in the past and experienced in the past. So that's why I would like to say yeah still yeah it's a cloud and AI is getting common but there's a working environment that communication is mainly done by email. So so uh there are kind of web isolation products by lot many vendors like semantic or crowd flare or force point

or main law security and so on. There are couple of web isolation vendors. Okay. So then what organization use web isolation technology? So I think yeah bank or government and also hospital and legal and so on uh use this kind of technology uh they they usually they tend to handle sensitive data and uh and also traditional and large organization there. So the reason is web isolation technology is not so very easy solution. I mean it takes time and cost and effort to introduce it. So that's why I think yeah the large organization that have enough effort to spend doing cyber security and they prioritize prioritize cyber security is important. So such organization tend to introduce uh such

web isolation technology and also many nontechnical stuff working. So they are non nontechnical stuff working. So that's why their IT literacy is not so high. So that's why for for example banking stuff and so on. Uh they are easily tr into clicking malicious URL or fishing site or something. So that's why to protect such a non-technical stuff working uh workers from malware or something uh this solution is effective I think. So that's why bank and the government tend to use uh this solution and also they prefer to use traditional and standard tools like Outlook or Microsoft Office not G Suite or Gmail and so on. Okay then so what is not threat for web isolation technology? uh this was my job

to consider what was threat and what was not threat for to attack web isolation technology. So as I mentioned uh downloader and sitsu malware through https is not a threat because it can be blocked by firewall and also domain fronting as well. uh I don't talk in detail but if you are letter teams or something you may be familiar with domain fronting but it's a kind of a technique to bypass network filters by impersonating true destination of https traffic so this graph shows a domain fronting so they usually domain fronting usually use crowd benders in this case Google crowds and malicious traffic first goes to crowd vendors like Google and uh in this case Google and crowd benders redirect that

traffic to true destination uh of malicious one. So that's why crowd benders domains in front and in the back there is a malicious domain. So that's why I think this technique is called the domain fronting and uh actually it was the biggest threat uh for web isolation technologies because uh I mentioned uh under under web isolation technology uh all traffic https traffic can be blocked by firewall but technically it's not true because uh we need to allow some domains uh even and web isolation technology for example Microsoft if we block the traffic to Microsoft on firewall then we cannot use Microsoft service like uh Microsoft office or outlook and so on so that's why domain

fronting abuse this one I mean malicious traffic goes to Microsoft Azure fast and Microsoft Azure transfer that traffic to uh Micious malicious domain. So that's why it was biggest threat to attack web isolation technology. Uh but I think these days crowd benders have addressed this issue. So it's reducing its effectiveness. So on the contrary what is a threat for web isolation technology. So first is a malware without S communication. It might be possible maybe ransomware but it's very rare and it's difficult because most malware use downloader washi and communication. So such independent malware might be possible but a little bit difficult I think and also malware using DNS uh DNS DNS works even web isolation technologies but I

think there are many security solutions to analyze and block uh malicious DNS like jetto scala and sec and for guard and so on so that's why it might be possible but maybe not so effective in my opinion And the last one is uh malware using SMTP and IMAP. This is the one the one I would like to talk about by this talk because uh SMTP is one of the protocol that is allowed for inbound and outbound communication. So I would like to focus on this one by this talk. Okay. So next I would like to talk about email exploitation technique by malware and threat actors. Uh this is the top malware communication ports. Uh so as you may know uh most

adversaries and malware use HTTP or HTTPS and DNS. So this is the data of net scope uh in 2023 and the net scope reported that most malware used HTTP or HTTPS for C and C communications. uh and the second most commonly used port was DNS. So I can say most adversaries or malwarees use HTTP or HTTPS and DNS. So I'd like to say SMTP and IMAP can be overlooked as a potential channels for collection or data experation and CNC communication and C2 framework as well. So most C2 frame C2 framework use HTTP or DNS TCP for uh for listenet for protocols. So like metasloit and cobalt like sla and habok all of them use http https tcp and

smp and so on. So no IMAP orp supported. Okay. So then why Maria use HTPS protocol? Of course first I think uh it's fast and stable. So and it it's easy to hide malicious traffic because of much legitimate traffic. So not so suspicious to upload or download uh large files over HTTP and uh and of course and outbound traffic is usually allowed uh in my current company as well because we need to do browsing to to do keep our business and so on. So that's why usually outbound traffic is usually allowed but but it's not true if uh under web isolation technology. So that's why HTTPS traffic is not so effective to attack web isolation

technology. Okay. So uh also less common than HTTP uh and HTPS some malwarees and adversaries abuse email techniques and SMTP. uh technique is MIT defines email correction technique and the adversary is lazarus and apt28 and so on uh abuse um email it's mainly for data excfiltration and the malware is ocean map and agent tesla and emot abuse uh email okay this uh this is a m framework uh m framework identifies It's three email collection sub techchniques. Uh one is local email collection. Uh as you may know email email box it contains a lot of sensitive data. So that's why actors m adversaries collect sensitive data from outlook inbox and remote email collection is a similar one and last one

is email forwarding group. So malware and adversaries set up uh email forwarding group to steal future emails as a kind of persistence. So there are kind of email collection technique ma defines and uh actor as well uh a28 it's a Russian state sponsored cyber person group targeting government and military sectors. uh f as the last step they drop the malware called the ocean map and uh they use ocean map to which connects to IMAP C2 servers and communicate via IMAP. Uh this is a screenshot that malware researcher uh published on his blog. Uh as you can see uh it is a di directory command was executed and it is uh saved in a email box as a mail like this.

And this is a system info command. Sorry little bit small but yeah system info command was executed and it was saved in a email box. And this uh this email was used to communicate with C2 servers. And this one is IP config command. It was com it was executed and it was also saved to email box. So I can say ocean map use uh IMAP for C2 communication. And this one is the most similar one that I will give a demonstration later. Okay. And also agent of Tesla as well. Uh agent of Tesla is a malware that acts as a key logger and information stealer. It's targeting uh credentials and system data and they use uh SMTP uh

yeah they use SMTP to send stolen data via email attachments and the last one is emot it's it's a famous I think it's a very famous smartware and emote case it's a little bit tricky pattern. But yeah, it's emoting emails uh fishing email with malicious attachment or links and uh it allows attackers to load additional payloads and steal sensitive information like emails or email server credentials. And it also turns infected devices into spam bots to send spam emails for worml like activity. So they still they use become they turn device into spam bots to do lateral movement for another organization. So that's why emot can be a tricky pattern but I think I can say

emote is also one of the malware that abuse email. Okay. and also C2 tools as well. So not so many tools and like uh uh so there are not so many tool exist that's you exploiting emails for communication but there are couple of uh tools like first one is bad outlook uh this one is the most similar I think for my tool of my tools it's a simple poke which uses uh outlook application to execute share codes and it's most similar but not specific for web isolation technology. So I can say my research is enhanced and analyze the activity uh in terms of web isolation technology and the sharp Gmail sheets as well. Uh it abuses Gmail process not outlook but

yeah Gmail process for situ communication via SMTP and IMAP. And the next one is aur outlook sitsu. I to use the Microsoft graph API for C2 communication via HTTP HTTPS protocol not SMTP but yeah it's also similar and send article as well uh it's communication through outlook so the these are the my related research I can say okay so next I will going to give a a demonstration of my developed tool outlook C2 Okay, but be before that let me quickly introduce component object model. So component of the object model is a Microsoft technology allowing software components to interact. So Microsoft exposes some software as a component object mo model objects to combine different soft parts together.

So they expose it outlook or office products or age and and so on to to communicate from to control what to communicate from a different uh process. So so this I my tool used this component object model. So as I mentioned uh outlook exposites its functionality through component object model. So that's what thanks to that it enables uh native tools like PowerShell ornet to get and send emails via Outlook process. So this is the uh uh this uh this uh this is a poke data poke code to to get email box contents by powershell. So just only three lines it can I can get the inbox uh outlook processed inbox content get creating a instance by

outlook by outlook and uh by this code I can get a inbox of the outlook outlook process. So thanks to that the key advantage is I can do task automation and integration without additional software. So when I worked for a bank uh we created a ticket uh based on detection email like EDR or seam and so on. So we we can we couldn't use resto API because ATPS traffic is blocked by firewall. So that's why we automate such ticketing system using uh outlook process. So thanks to that yeah we can automate some tasks uh using outlook process but of course I can use it in a bad way as well. So so I I think

I can use it to for situ communication. So this is overview of outlook situ that that I developed. So it's three steps. So first Outlook beacon uh C it's monitoring Outlook process for new emails by PowerShell and the C2 servers send commands like who am I and so on to client via email and then outlook beon execute that commands and return the result to C2 servers using Outlook process. This is the overview of Outlook C2. So it's better to give a demo uh play a movie of my short demonstration. So yeah uh uh and also I I cannot prepare web isolation technology because I don't have it. So so that's why I added a deny

HTTP and HTTPS traffic group by my uh by Windows host firewall to simulate to simulate uh web isolation technology. So let me play the short movie. Uh give me a second. Okay. Uh this uh this is this is a client and victim side of Windows and this is attacker side. So and Outlook Bcoins running. Okay. And send a command like system info task list as in a mail body. Then this Bcoin is analyzing and executing that command system info and task list and return the result back to C2 servers mail servers and I can get it I and it can be saved in an email like this and I and to simulate more interactive shell I

developed such a graphical user interface for to simulate interactive shell. So I ex send task list or IP config or net user and system info and then it is that that command is executing and uh I this uh that result is displayed in a in this visual uh GUI tools and also we can upload some additional uh payload as well like reon script I'm uploading and uh I can execute that uh leon script as additional module. So executing leon powershell scripts and uh send it then this recon powershell script is running on client side victim side and uh the it send returns a result like what kind of ant is running and what kind of process is running and so on. So

that's why I can say this tool can upload or download some additional module as well. So and also I I think this technique is very good with steganography. So steganography is a kind of technique that malwarees hide the malicious content into visual image. So at the previous email in in the in the in the main in the main body there is a system info or IP config command in the email body. So that's why user may think this is very suspicious right. So that's why I think it can be good to combine with steganography. So by so I can spoofing like a advertisement email. So I can create advertisement email and embed some malicious command into this

ping file. Then Outlook sees the beacon analyze that ping file and execute that command like IP config and who am I and so on. And then even user uh noticed such uh email but this one is is a kind of spoofing advertisement email like looking for a laptop that works as hard as you do. So I think most users ignore such advertisement email but in the background out uh outlook se beacon analyzing that uh um that uh steganographies email and executing that command and send the result back to the C2 servers. So yeah this is in the ping file just it is just a normal laptop. So that's why probably user don't think it is

suspicious. So that's why I can say this technique is very good with steganography. Okay. Uh this is a short demonstration movie of my tools and let me get back go back to the slide. Okay. Uh so okay this is a process flow of outlook. So first disable not it might not be necessary but just in case disable notification and then monitoring outlook process and the third communication so it execute commands and return the results via outlook process. So no it uses launched outlook process. So that's why no authentication required and the last one is clean up removable emails from the inbox and outbox just in case. And the server side is just simple just GUI interface for sending commands

and receiving responses and and I I didn't demonstrate all of them but there are other commands as well like upload and down downloaders download and list folders and get folders and also you can search keyword in a email box as a C2 command and also forward as a persistence. Okay. And yeah, this is a m technique. So I can I combined a couple of m techniques like execution or correction and command cor command and control and expilation into that C2 tools. Okay. Uh the and this is a network traffic on client sites. So as I mentioned I added a uh fire HTTP and HTTPS deny rule on the on the Windows firewall but this C2

communication can possible because uh this C2 tool uses SMTP and IMAP so that's why HTP deny YTPS deny it doesn't matter and yeah next I would like to compare this to with general liver shells. So rebound shell is has three steps. Uh usually as as you may know you may know. First uh rebirth shelf uh send request to C2 servers regularly and the second C2 server responds with some command with some commands or other instructions like fi or IP config and so on. And as the last step rebas share execute that commands and return the results back to C2 servers. This is a general behavior of libas shares and the first step. So first step is

different. So reverse shell need to send request to C2 servers regularly but outlook C2 is first step is different. So it's just monitoring out process only for new emails. So that's why no traffic unless C2 communication C2 servers send commands. So I can say Outlook C2 is similar to bind shell but bind shell is usually used for lateral movement only because bind shell needs a inbound traffic but usually inbound traffic is usually blocked by firewall. So that's why bind shell is usually used for lateral movements uh in the domain. But in this case uh we use I use email for inbound traffic and email is allowed for inbound traffic as well. So that's why it's

possible to do like a bind share outlook C2 and this is a process tree of liver share. uh so uh this is uh I think anturous or e detects the most is when it execute that process or some process write some uh files into the disk and so on and this this is a process tree that's I executed the lib shell generated by metasloits so usually liver shell write files by malware itself for additional payloads uh like This uh this is a reverse shell and uh and this malware itself write another module uh like test upload.exe as a disk operations. Of course, you can change the parent process by migrating to another process or injecting but then injection itself

can be often detected by antiR. So that's why anti often detects malware during file oper file light operations and outlook se this is a outlook se process tree. So in this case outlook itself write another module like this. So it's normal behavior for outlook because yeah outlook need to send some data to disk of course. So that's why it's natural behavior. So making detections more difficult I think. And so in summary that is a key threat points of outlook system. So it operates even in isolated environments like web isolation and uh it's low traffic that is the main key threat point I think and also low traffic. So as I mentioned communication occurs only when C2 ser C2 server send

commands only and also upload and download via Outlook is legitimate not so suspicious and unusual and I utilize technique making it harder for users to identify suspicious emails so more difficult for an or users to detect I Of course, there's a disadvantage as well. Uh fast is little bit slower compared to HPS. I think it's a protocol issue. So, I cannot help it. And email notification may trigger popup and the user may notice it. In this case, as I demonstrated, I think uh impersonating advertisement emails that users most likely ignore using steography is one of the good counter measure. I think and also logs remain on mail server and easy for investigation. In this case, I think

encrypting email body could be a counter measure and also steography using steography is one of the counter measure. And the last one is mail security services like DP may block it especially to personal domains. In this case, uh adversaries may use uh legitimate domain addresses stolen from botonets like emoteets. I heard these days I heard that most fishing mess comes from legitimate uh domain. So that's why it's this DP or something maybe good way but it might not be enough maybe perfect. Okay, last one, last page is last title phase is mitigation and detection. How to prevent yeah such attacks. Okay, first mitigation is end point security. So this is the uh outlook option. So I can change the uh

programmatic access security in Outlook option to one about email sending from pro another process like PowerShell or something. So default settings only triggers warnings if antivirus is inactive or outdated. But if you you are team as you may know evasion of indoor defender is not is not so very very difficult. So that's why I don't think it is enough uh but in in this solution might be difficult in environments relying on automated email process like uh often as I mentioned when I worked for a bank we created a ticket based on detection emails. So that's why this endpoint security policy might be difficult in such cases but yeah but if not it's a one of the good uh security solutions

and the second one is email policy so restrict emails to personal domains like Gmail and so on disadvantage is some teams need to send emails to personal addresses like HL or something if so then this M mitigation may be difficult and adversaries may as I mentioned may use legitimate domain uh addresses stolen from botnets then this solution might not be enough and also detection rule as well actually not so many detection rules to detect such communic C2 communication through SMTP but still some of them exist like elastic so elastic has a suspicious interprocess communication via Outlook. So this rule might be effective and Splank as well and crowd strike not also often but few times sometimes uh cloud

strike detected outlook seats behavior as a uh email connection anomaly rules like this. So not not every time but yes a few times it can detect it. So that's why this is one of the good detection rules I think. And this one is a custom rule I developed. So as far as as far as I analyzed the behavior of outlook C2 by process monitor uh I noticed that uh the parent process is servicehost and the child process is outlook and the argument is embedding argument. So so service host process uh manage the execution of component object model. So that's why uh if we launch outlook through component object model the parent process become service host and

if we launch nor outlook normally through by double click or something then it start with explorer.ex as a parent process. So that's why I can use this information to detect it. So that's why uh this is the rule to detect it. So yeah command lines outlook.exe So there and the parent process is service host then I can pull that execution of outlook seats only and this is the sigma rule uh it's same yeah parent processes service host and outlook and yeah is I can I make it public on my GitHub so if you have interest in it please access to my GitHub page okay this is a summary and takeaway so I introduced the Web isolation technology.

So what is web isolation technology and what what kind of threat exists and email exploitation technique I introduced uh what kind of technique exist and what kind of attackers and malware abuse emails and I developed a tool outlook seat and demonstration. a demo how outlook is controlled via component of object model for C2 communication and lastly I introduced the mitigation detection uh and endpoint and email policy for mitigations and detection rules by sigma okay uh that's all for my presentation uh thank you for listening >> [applause]