#
Emotet's Outlook Scraper
Microsoft Outlook Scraper that retrieves information from the victim's inbox.
#
Build Implant
Open the command prompt (cmd.exe), navigate to directory containing the Outlook Scaper Visual Studio solution file (OutlookScraper.sln), and run the devenv.exe command:
cd wizard_spider\Resources
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\devenv.exe" OutlookScraper.sln /build Release
The dll will be found in the Release folder.
#
Test Instructions
Open the command prompt (cmd.exe), navigate to directory containing the Emotet Client DLL Visual Studio solution file (OutlookScraper.sln), and run the devenv.exe command:
cd wizard_spider\Resources
"C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\Common7\IDE\devenv.exe" OutlookScraper.sln
Previous command will open project in Visual Studio, run all tests by opening the Test Explorer and clicking in on "Run All Test In View".
Test > Test Explorer > "Run All Test In View" button
#
Usage Examples
Exports two functions. One function retrieves emails from the victim's inbox that may contain passwords. The other function retrieves a list of email addresses found in the inbox.
getCredentials
getEmailAddresses
Both functions have the functionality to stop and restart the Outlook application. This will force the application to load with the same privilege as the calling implant.
#
Cleanup Instructions
del OutlookScraper.dll
#
Misc
Requires range configuration to remove Outlook prompt when DLL is accessing Outlook via PowerShell.
(PowerShell) New-Item –Path "HKLM:\SOFTWARE\Microsoft\Office\16.0\Outlook" –Name Security
(PowerShell) New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\16.0\Outlook\Security" -Name "ObjectModelGuard" -Value 2 -PropertyType "DWord"
For the changes to take effect, you must restart the Outlook Client
#
CTI Evidence
https://attack.mitre.org/software/S0367 https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/ https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/