New ‘NotDoor’ Malware Attacks Outlook Users to Exfiltrate Data and Compromise Computers

Cybersecurity

Introduction to ‘NotDoor’ Malware

A sophisticated backdoor, attributed to the Russian cyber-espionage group APT28, facilitates data exfiltration, file uploads, and command execution on compromised computers.

Target and Attribution

The malware targets Microsoft Outlook, enabling threat actors to steal data and control affected machines. Known as “NotDoor,” it is linked to APT28, also referred to as Fancy Bear. The findings were published by LAB52 of Spanish cybersecurity firm S2 Grupo.

Technical Details

NotDoor is crafted in Visual Basic for Applications (VBA), the scripting language for automating tasks in Microsoft Office applications. The malware monitors incoming emails for specific trigger words, such as “Daily Report,” to activate and execute malicious commands.

Persistence Mechanisms

The malware uses legitimate Outlook features to evade detection and maintain persistence, employing event-driven VBA triggers like Application_MAPILogonComplete and Application_NewMailEx.

Evasion Techniques

• Code Obfuscation: The malware’s code is obfuscated with randomized variable names and a custom encoding method to hinder analysis.
• DLL Side-Loading: It uses a legitimate Microsoft binary, OneDrive.exe, to load a malicious DLL file, thus appearing as a trusted process.
• Registry Modification: NotDoor modifies Outlook’s registry settings to disable security warnings and other prompts, allowing silent operation.

Operational Impact

Once active, the backdoor creates a hidden directory for temporary file storage, which are then exfiltrated to an attacker-controlled email address (a.matti444@proton[.]me) before deletion. Callbacks to a webhook site confirm successful execution.

APT28, associated with Russia’s General Staff Main Intelligence Directorate (GRU), has been linked to numerous high-profile cyberattacks, including the 2016 Democratic National Committee breach.

Recommendations

Organizations are advised to disable macros by default, monitor Outlook for unusual activity, and inspect email triggers that could be exploited by malware like NotDoor.