Insights into the NotDoor Malware Exploit by APT28
Overview of NotDoor
A recent cybersecurity alert has highlighted the emergence of a sophisticated backdoor known as NotDoor, attributed to the Russian hacking group APT28. This malware is primarily targeting various businesses across NATO nations, showcasing its capability to exploit Microsoft Outlook vulnerabilities. With growing concerns about cybersecurity, this development emphasizes the need for vigilance among organizations.
How NotDoor Operates
According to the threat intelligence team at S2 Grupo’s LAB52, NotDoor operates as a Visual Basic for Applications (VBA) macro within Outlook. Its primary function is to monitor incoming emails for specific trigger words. Upon detection, it allows attackers to carry out several malicious activities, including data exfiltration, uploading files, and executing commands on the infected systems.
Origin of the Name
The malware gets its name from the use of the term "Nothing" in its source code, a detail brought to light by S2 Grupo. This reflects how attackers are leveraging Outlook as a subtle platform for both communication and the delivery of malware, highlighting the pressing issue of email security in corporate environments.
Delivery Mechanism
While the exact method of initial infection remains uncertain, analysis indicates that NotDoor is delivered through Microsoft’s OneDrive executable using a technique known as DLL side-loading. This process leads to the execution of a malicious Dynamic Link Library (DLL) file, specifically "SSPICLI.dll," which installs the VBA backdoor while compromising macro security settings.
Execution Process
Once initiated, NotDoor runs Base64-encoded PowerShell commands to perform several key functions. These include:
- Connecting to a command-and-control (C2) server to receive instructions.
- Setting up persistence through modifications to the Windows Registry.
- Enabling macro execution in Outlook, bypassing built-in security dialogues.
Functionality and Commands
NotDoor is engineered to activate whenever Outlook is launched or when a new email is received. Specifically, it utilizes Application.MAPILogonComplete and Application.NewMailEx events to trigger its payload. This operation involves the creation of a temporary folder within the system, where it stores text files that can then be exfiltrated.
The malware supports a range of commands, which include:
- cmd – Executes commands and returns the output as an email attachment.
- cmdno – Executes commands without sending output.
- dwn – Exfiltrates files from the victim’s computer as email attachments.
- upl – Uploads files to the victim’s system.
According to LAB52, files exfiltrated are stored in the designated temp folder, encrypted with the malware’s custom algorithm, and transmitted via email before being removed from the local system.
Other Notable Attack Techniques
In conjunction with the NotDoor exploit, the Beijing-based 360 Threat Intelligence Center recently reported on evolving tactics employed by the group known as Gamaredon, also referred to as APT-C-53. This group is noted for its innovative use of platforms like Telegram as a dead-drop resolver, enhancing the stealth of its operations.
Use of Microsoft Dev Tunnels
The attacks also reveal a concerning use of Microsoft Dev Tunnels. This service is typically intended for developers to expose web services securely. However, attackers have employed it as a means to operate C2 domains, offering an extra layer of anonymity. This dual-purpose approach obscures the true IP addresses behind Microsoft’s relay nodes, complicating threat intelligence efforts that track malicious activity.
Conclusion
The NotDoor malware is an evolving risk that underscores the importance of robust cybersecurity measures for organizations using Microsoft Outlook and other widely-utilized platforms. As cyber threats continue to refine their tactics, staying informed about emerging threats and maintaining proactive security protocols will be critical for safeguarding sensitive data and operations.
