The Russian state-sponsored hacking group known as APT28, also referred to as Fancy Bear, has been identified deploying a new Microsoft Outlook backdoor named NotDoor in attacks against various companies across NATO member countries. This sophisticated malware leverages Outlook’s functionalities to covertly monitor incoming emails for specific trigger words, enabling attackers to exfiltrate data, upload files, and execute commands on compromised systems.
Deployment and Execution Mechanism
The exact method by which NotDoor infiltrates target systems remains uncertain. However, analyses indicate that the malware is deployed through Microsoft’s OneDrive executable (onedrive.exe) via a technique known as DLL side-loading. In this process, a malicious DLL file named SSPICLI.dll is executed, which subsequently installs the VBA backdoor and disables macro security protections within Outlook.
Once installed, NotDoor executes Base64-encoded PowerShell commands to perform several actions:
– It communicates with an attacker-controlled webhook site to confirm successful deployment.
– It establishes persistence by modifying Windows Registry settings.
– It enables macro execution within Outlook.
– It suppresses Outlook-related dialogue messages to evade detection.
Functionality and Capabilities
NotDoor is an obfuscated Visual Basic for Applications (VBA) project designed for Outlook. It utilizes the Application.MAPILogonComplete and Application.NewMailEx events to execute its payload each time Outlook is started or a new email arrives. The malware creates a directory at the path %TEMP%\Temp, serving as a staging area to store text files generated during its operations. These files are then exfiltrated to a Proton Mail address controlled by the attackers.
The backdoor monitors incoming emails for specific trigger strings, such as Daily Report. Upon detecting such a trigger, it extracts and executes embedded commands. NotDoor supports four primary commands:
1. cmd: Executes commands and returns the standard output as an email attachment.
2. cmdno: Executes commands without returning output.
3. dwn: Exfiltrates files from the victim’s computer by sending them as email attachments.
4. upl: Uploads files to the victim’s computer.
Exfiltrated files are saved in the designated folder, encoded using the malware’s custom encryption, sent via email, and subsequently deleted from the system to minimize traces of the intrusion.
Broader Context and Implications
The emergence of NotDoor underscores the evolving tactics of APT28 in exploiting widely used software platforms like Microsoft Outlook to conduct stealthy cyber-espionage operations. By embedding malicious code within trusted applications, the group enhances its ability to evade detection and maintain prolonged access to compromised systems.
This development coincides with reports from the 360 Threat Intelligence Center detailing the activities of another threat actor, Gamaredon (also known as APT-C-53). Gamaredon has been observed utilizing Telegram’s Telegraph service as a dead-drop resolver to direct command-and-control (C2) infrastructure. Additionally, the group exploits Microsoft Dev Tunnels (devtunnels.ms) to mask C2 communications, leveraging Microsoft’s relay nodes to obscure the original C2 server IP addresses and rapidly rotate infrastructure nodes.
These tactics highlight a broader trend among state-sponsored actors to abuse legitimate services and platforms to conduct covert operations, complicating attribution and mitigation efforts.
Recommendations for Mitigation
Organizations are advised to implement the following measures to defend against threats like NotDoor:
– Disable Macros by Default: Configure systems to disable macros unless explicitly needed, reducing the risk of macro-based malware execution.
– Monitor for Unusual Activity: Regularly review Outlook and system logs for signs of anomalous behavior, such as unexpected macro executions or unauthorized registry modifications.
– Implement Email Filtering: Deploy advanced email filtering solutions to detect and block emails containing known malicious indicators or suspicious attachments.
– Educate Employees: Conduct regular training sessions to raise awareness about phishing tactics and the importance of not enabling macros in unsolicited documents.
– Apply Security Updates: Ensure that all software, especially Microsoft Office applications, are up to date with the latest security patches to mitigate known vulnerabilities.
By adopting these proactive measures, organizations can enhance their resilience against sophisticated threats like NotDoor and safeguard their critical assets from potential compromise.
