Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
CymuLab Live: Coming to a city near you!
Register Now
New Gartner® Report: Strategic Roadmap for CTEM
Learn More
Threat Exposure Validation Impact Report 2025
Learn More
Book a Demo
Book a Demo

New Backdoor used against Microsoft Outlook - ComLook

January 24, 2022

ComLook has 3 hard-coded credentials for Mailboxes. For each inbox, ComLook has a different folder to look for new commands and to upload results. The commands are encrypted. The attacker can execute cmd commands, upload and download files and update ComLook's configuration. All three mail servers seem to be compromised servers where Turla ran its own mail server instance. The communication is encrypted (imaps). Some code hints that past versions were using plain imap. ComLook registers itself in Microsoft Outlook using "The Bat!", similarly to Turla Outlook, but no code similarity was found. According to the submission country and the mail addresses, ClearSky assess with high confidence that the backdoor was used against an Azerbaijani target. The compilation timestamp was changed, but the export table timestamp hints that the binary was compiled on June 2019. Two mail servers seem to be down, and one is not authenticating the hard-coded credentials.

Featured Resources

View More Resources
Vulnerability Management Must Evolve to CTEM 
Guide

Vulnerability Management Must Evolve to CTEM 

Maximize your exposure management budget with a guide to prioritizing exploitable risks and building continuous resilience.

Learn More
image
blog

Cymulate Named a Customers' Choice in the 2025 Gartner® Peer Insights™ Voice of the Customer for Adversarial Exposure Validation 

If you’re considering the value of adversarial exposure validation from Cymulate, look no further than the voices of those who use it

Read More
image
Report

Customers Choose Cymulate 

Cymulate named a 2025 Gartner® Peer Insights™ Customers’ Choice for Adversarial Exposure Management.

Learn More