Security researchers have uncovered a new Microsoft Outlook backdoor developed by Russian threat actors that monitors incoming email for trigger words and can exfiltrate data, upload files and execute commands on victim machines.
Dubbed “NotDoor” by researchers at S2 Grupo’s LAB52, the malware has been attributed to the APT28 threat group – aka “Fancy Bear” – that has been linked to the Russian GRU military intelligence unit.
The malware “highlights the ongoing evolution of APT28, demonstrating how it continuously generates new artefacts capable of bypassing established defense mechanisms,” the researchers wrote in a blog post.
The Outlook backdoor has been used to compromise “multiple companies from various sectors in NATO member countries,” they said.
Outlook Backdoor is a VBA Macro
The malware was named “NotDoor” because of the use of the word “Nothing” in the code. The backdoor is a VBA macro for Outlook that monitors incoming emails for specific trigger words, and if detected, “enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer,” the researchers said.
To avoid detection, the backdoor is deployed via the legitimate signed binary Microsoft OneDrive.exe, which the researchers said is vulnerable to DLL side-loading. The malicious file DLL SSPICLI.dll installs the VBA backdoor and disables macro security protections. The backdoor, located in c:\programdata\testtemp.ini, launches the execution chain.
The loader runs three PowerShell commands, encoded in Base64, to load the macros to %APPDATA%\Microsoft\Outlook\VbaProject.OTM, to perform nslookup to verify that the code executed successfully, and to send a curl request to a webhook.site URL.
Establishing Persistence
The loader establishes persistence, enables macro execution and disables dialogue messages by modifying Windows Outlook registry keys.
When Outlook is started or new email arrives, the malware uses the Application_MAPILogonComplete and Application_NewMailEx events to execute code. If it doesn’t already exist, the malware creates a folder at the path %TEMP%Temp to store artifacts generated by the malware. If the folder contains any files when the malware starts, they are sent to the email address a.matti444@proton[.]me, with the subject line “Re: 0”, after which the files are deleted regardless of whether they’ve been sent successfully.
When the client receives an email, the malware checks for a specific string. “If the string is found, the malware parses the email’s contents to extract the commands to be executed,” the researchers said.
The trigger string was “Daily Report” in the example the researchers studied, but they added that multiple triggers could be configured so it’s possible the string could vary in other instances. Once the backdoor has been activated, the email that triggered it is deleted, they said.
The researchers included SHA256 hashes in their report, which were detected by only four of 72 security vendors at the time their report was published on Sept. 3:
SSPICLI.dll: 5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705
testtemp.ini: 8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901
