Russian APT28 Deploys ‘NotDoor’ Backdoor to Target Microsoft Outlook
▼ Summary
– Researchers at S2 Grupo have identified a new Outlook backdoor called NotDoor, attributed to the Russia-backed APT28 group, which exfiltrates data and executes commands.
– NotDoor is a sophisticated VBA-based malware that abuses Outlook’s event triggers to monitor emails for specific words and activate malicious payloads.
– The malware uses obfuscation, DLL side-loading via a signed Microsoft binary, and registry modifications to ensure persistence and evade detection.
– NotDoor establishes covert communication by exfiltrating data to attacker-controlled email and parsing encrypted commands from incoming emails to perform actions like file theft.
– APT28 is a notorious cyber threat group linked to Russia’s GRU, with a history of high-profile attacks including election interference and targeting organizations like WADA.
Cybersecurity specialists at S2 Grupo have identified a new and highly sophisticated backdoor targeting Microsoft Outlook, enabling threat actors to exfiltrate sensitive data, upload malicious files, and execute remote commands on compromised systems. This discovery underscores the growing sophistication of email-based attacks and highlights the need for heightened organizational vigilance.
Dubbed ‘NotDoor’ by researchers at S2 Grupo’s LAB52 threat intelligence unit, the malware derives its name from the repeated use of the word “Nothing” found within its code. The tool has been attributed to the Russian state-aligned threat group known as APT28.
NotDoor is a VBA-based malware that specifically targets Microsoft Outlook, monitoring incoming emails for predetermined trigger phrases to initiate malicious actions. Visual Basic for Applications is a legitimate scripting language embedded in Microsoft Office products, often used to automate routine tasks. However, cybercriminals increasingly weaponize VBA by embedding harmful macros that activate as soon as a user opens an infected document or email.
This backdoor takes advantage of Outlook’s event-driven architecture, leveraging triggers like ApplicationMAPILogonComplete and ApplicationNewMailEx to launch its payload. The code itself is heavily obfuscated, using randomized variable names and a custom string encoding method that appends extraneous characters to Base64 data, simulating encryption to frustrate analysis efforts.
Disguised within seemingly benign Outlook macros, NotDoor provides attackers with extensive control over infected machines. A notable evasion technique involves DLL side-loading through a signed Microsoft binary, OneDrive.exe, which then loads a malicious DLL named SSPICLI.dll to deploy the backdoor discreetly.
To maintain persistence, the malware modifies Outlook’s registry settings to disable security alerts, enable macros automatically on startup, and suppress user prompts, ensuring it operates silently in the background.
Communication with command-and-control servers is conducted covertly. Victim data is exfiltrated to a ProtonMail address (a.matti444@proton[.]me), while execution is verified through DNS and HTTP callbacks to a webhook.site domain. Upon infection, NotDoor creates a hidden directory within the %TEMP% folder to temporarily store artifacts, which are then emailed to the attacker and promptly deleted.
The malware is triggered by emails containing specific strings, such as “Daily Report.” It parses encrypted commands embedded within the email body, supporting a range of instructions including file theft, command execution, or the download of additional payloads. Its modular architecture allows attackers to dynamically update triggers and commands, complicating detection and mitigation efforts.
By exploiting Outlook’s built-in VBA functionality, NotDoor operates with both persistence and stealth, positioning it as a powerful tool for espionage and highly targeted attacks.
LAB52 researchers advise organizations to disable macros by default, monitor Outlook for unusual behavior, and scrutinize email-based triggers as key defensive measures.
APT28, also known as Fancy Bear, Forest Blizzard, and Strontium, among other aliases, is a well-established cyber threat group linked to Russia’s GRU military intelligence. Active since at least 2014, the group gained international notoriety for its role in breaching the Hillary Clinton presidential campaign, the Democratic National Committee, and related entities during the 2016 U.S. election interference campaign.
In 2018, the U.S. Department of Justice indicted five GRU officers from Unit 26165 for orchestrating numerous cyber intrusions between 2014 and 2018. Their targets included international organizations such as the World Anti-Doping Agency, a U.S. nuclear facility, and the Organization for the Prohibition of Chemical Weapons. Some operations were carried out with support from another GRU unit, Sandworm.
According to LAB52, NotDoor reflects APT28’s continuous evolution and its ability to develop new tools that circumvent conventional security defenses. More recently, the group was associated with LameHug, one of the first malware strains to leverage large language models, signaling a new frontier in AI-powered cyber threats.
(Source: InfoSecurity Magazine)