New GONEPOSTAL Malware Exploits Outlook for Command-and-Control Communications

Cybersecurity firm Kroll has uncovered a sophisticated espionage campaign utilizing previously unknown malware dubbed GONEPOSTAL, attributed to the Russian state-sponsored threat group KTA007, commonly known as Fancy Bear or APT28.

The malware demonstrates an innovative approach to command-and-control communications by weaponizing Microsoft Outlook’s email functionality as a covert backdoor channel.

Technical Architecture and Infection Vector

GONEPOSTAL operates through a multi-component architecture consisting of a malicious dropper DLL and an obfuscated, password-protected VbaProject.OTM file containing Outlook macros.

The attack begins with SSPICLI.dll (MD5: 2dc21fab89bca42d2de4711a7ef367f1), an unsigned malicious DLL masquerading as Microsoft’s legitimate security support provider interface library.

The malicious DLL employs DLL forwarding techniques, redirecting all 105 exported library functions to a renamed legitimate DLL (tmp7EC9.dll), ensuring normal application functionality while executing malicious code through the DLLMain execution path.

Upon execution, the malware runs four encoded PowerShell commands designed to establish persistence and exfiltrate victim information.

The primary payload copies testtemp.ini to the Outlook profile directory as VbaProject.OTM, while three additional commands perform reconnaissance using webhook.site and oast.Fun services to capture usernames and IP addresses through DNS and HTTP requests.

These services provide redundant communication channels, should security tools block one method.

Registry Manipulation and Macro Deployment

GONEPOSTAL modifies three critical Windows registry values to enable macro execution. The malware sets LoadMacroProviderOnBoot to 1, enabling automatic macro loading at Outlook startup, and configures the security level to 1, effectively allowing all macros without user prompts.

Additionally, it sets PONT_STRING to “32,” suppressing security dialog boxes that would usually warn users about downloaded content.

The VbaProject.OTM file houses the core backdoor functionality, utilizing password protection as an obfuscation layer. The macros employ base64 encoding with offset interpretation for configuration strings, making analysis more challenging while maintaining functionality.

Command-and-Control Operations

The backdoor activates through Application_MAPILogonComplete() during Outlook startup, initializing configuration parameters and establishing email monitoring capabilities.

The malware monitors incoming emails through Application_NewMailEx(), processing C2 instructions embedded within legitimate email traffic.

GONEPOSTAL supports four primary command types: cmd (command execution with output capture), cmdNo (command execution without output), upload (file reception), and download (file exfiltration).

File operations utilize chunking mechanisms with 3.15-megabyte buffer sizes to facilitate transfer through email attachments, while command execution leverages PowerShell sessions for payload delivery.

This living-off-the-land approach represents a significant evolution in APT28’s tactics, exploiting trusted business communication channels to maintain persistent, stealthy access while evading traditional network-based detection mechanisms.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post New GONEPOSTAL Malware Exploits Outlook for Command-and-Control Communications appeared first on Cyber Security News.