The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries.
NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said. “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.”
The artifact gets its name from the use of the word “Nothing” within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel.
The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it’s deployed via Microsoft’s OneDrive executable (“onedrive.exe”) using a technique referred to as DLL side-loading.
This leads to the execution of a malicious DLL (“SSPICLI.dll”), which then installs the VBA backdoor and disables macro security protections.
Specifically, it runs Base64-encoded PowerShell commands to perform a series of actions that involve beaconing to an attacker-controlled webhook[.]site, setting up persistence through Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection.
NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives.
It then proceeds to create a folder at the path %TEMP%Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address. It also parses incoming messages for a trigger string, such as “Daily Report,” causing it to extract the embedded commands to be executed.
The malware supports four different commands –
- cmd, to execute commands and return the standard output as an email attachment
- cmdno, to execute commands
- dwn, to exfiltrate files from the victim’s computer by sending them as email attachments
- upl, to drop files to the victim’s computer
“Files exfiltrated by the malware are saved in the folder,” LAB52 said. “The file contents are encoded using the malware’s custom encryption, sent via email, and then deleted from the system.”
The disclosure comes as Beijing-based 360 Threat Intelligence Center detailed Gamaredon‘s (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to point to command-and-control (C2) infrastructure.
The attacks are also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to securely expose local web services to the internet for testing and debugging purposes, as C2 domains for added stealth.
“This technique provides twofold advantages: first, the original C2 server IP is completely masked by Microsoft’s relay nodes, blocking threat intelligence tracebacks based on IP reputation,” the cybersecurity company said.
“Second, by exploiting the service’s ability to reset domain names on a minute-by-minute basis, the attackers can rapidly rotate infrastructure nodes, leveraging the trusted credentials and traffic scale of mainstream cloud services to maintain a nearly zero-exposure continuous threat operation.”
Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional
payloads.
“This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration,” 360 Threat Intelligence Center said.
