Recent investigations by security experts have revealed a sophisticated backdoor targeting Microsoft Outlook, developed by a group of Russian cyber threat actors. This malware monitors incoming emails for specific trigger phrases, allowing attackers to extract sensitive data, upload files, and execute commands remotely on compromised systems.
Introducing “NotDoor”
The malware, referred to as “NotDoor” by researchers from S2 Grupo’s LAB52, is attributed to the notorious APT28 group, commonly known as “Fancy Bear.” This group has strong links to the Russian military intelligence agency, the GRU. In their detailed analysis, the researchers emphasized how NotDoor showcases the persistent evolution of APT28, which continually develops new tactics and tools to circumvent established security measures.
The Mechanism Behind the Backdoor
NotDoor operates as a VBA macro within Outlook, named for its inclusion of the term “Nothing” in its code. This backdoor monitors emails for designated trigger phrases. Upon detecting these phrases, it grants attackers the capability to exfiltrate data, upload files onto the victim’s machine, and execute various commands. To enhance its stealth, NotDoor is delivered through a legitimate Microsoft application, specifically the signed binary Microsoft OneDrive.exe, which has vulnerabilities related to DLL side-loading.
DLL Side-Loading and Execution
The infected DLL, known as SSPICLI.dll, installs the VBA backdoor and bypasses macro security features. The malicious code is located at c:\programdata\testtemp.ini and initiates a sequence of actions through a loader. This loader executes three PowerShell commands encoded in Base64, facilitating the loading of macros into the Outlook project file located at %APPDATA%\Microsoft\Outlook\VbaProject.OTM. Furthermore, it performs a DNS lookup to ensure the code has executed successfully, subsequently sending a request to a designated URL.
Persistent Presence and Trigger Mechanism
To maintain a consistent presence on infected machines, the loader modifies specific Windows Outlook registry keys, ensuring that macro execution remains enabled and dialog prompts are suppressed. Once Outlook starts or a new email arrives, NotDoor harnesses the Application_MAPILogonComplete and Application_NewMailEx events to activate its code. If an associated folder at %TEMP%Temp does not exist, the malware creates it to store generated artifacts. Any files present in this directory upon initiation are sent to a specified email address, with the message titled “Re: 0.” Notably, these files are deleted post-sending, regardless of their success.
Trigger Words and Command Execution
Upon receiving an email, NotDoor scans for predetermined strings. If a match is found, it parses the email to extract commands for execution. For instance, in a recent analysis, the trigger phrase was “Daily Report,” though the flexibility of the malware suggests that various triggers can be employed in different scenarios. Additionally, once activated, the malware ensures the email containing the trigger is deleted from the inbox, further concealing its activities.
Detection Challenges
The researchers provided SHA256 hashes for files related to NotDoor, noting that at the time of their report, only four out of 72 security vendors successfully detected this malware. The specific hashes noted were:
- SSPICLI.dll: 5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705
- testtemp.ini: 8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901
In Conclusion
As cyber threats continue to evolve, the discovery of NotDoor underscores the importance of robust email security measures and continuous monitoring for unusual activities within organizations. This malware not only highlights the threat posed by APT28 but also serves as a reminder of the necessity for businesses to remain vigilant against emerging cyber risks.
