Outlook NotDoor backdoor malware first appeared in menace campaigns recognized by Lab52, the intelligence arm of Spanish agency S2 Grupo.
Linked to APT28/Fancy Bear, NotDoor leverages malicious Outlook macros for persistent entry and information theft. Attackers embed these macro payloads inside Outlook’s information recordsdata to watch incoming emails and set off hidden code on contaminated programs.
This has enabled superior persistent menace teams to quietly exfiltrate recordsdata, execute instructions, and preserve stealthy management by abusing a trusted software.
Preliminary compromise usually begins with DLL sideloading. Risk actors place a maliciously crafted SSPICLI.dll subsequent to the official OneDrive.exe, exploiting how Home windows prioritizes loading DLLs.
The faux DLL permits the actor to execute instructions and stage malware parts with out elevating alarms.
An infection artifacts embody a number of recordsdata: an actual OneDrive.exe, SSPICLI.dll (malicious), tmp7E9C.dll (renamed official DLL), and testtemp.ini containing the VBA macro. These particulars are essential for defenders monitoring suspicious file occasions and Registry modifications.
Splunk safety researchers had been among the many first to completely analyze NotDoor. Their deep dive revealed encoded PowerShell instructions launched by OneDrive.exe and the way the malware quietly creates TEMP directories for dropped artifacts.
The detection information by Splunk helps defenders acknowledge rogue processes spawning PowerShell, community calls, and registry adjustments that activate macro auto-loading, disable safety prompts, or enable all macros with out warning.
This analysis supplies helpful blueprints for constructing dependable detection.
Outlook Macro Persistence and Obfuscation
A key NotDoor approach includes copying the macro-laden testtemp.ini file to Outlook’s VBAProject.OTM location throughout the consumer’s Roaming listing.
This file holds all customized automation and email-handling macros for Outlook. Below regular circumstances, solely Outlook ought to write right here, so any exterior course of (akin to malware) is very suspicious.
The macro backdoor units up C2 communications: it could obtain and execute attacker directions through e-mail triggers, and quietly ship information again out.
It depends on obfuscation, randomized variable names, and customized encoding to slide previous easy scans. Splunk researchers pinpointed registry modifications as pivotal for persistence.
The malware adjustments settings to mechanically load the malicious macro at startup (LoadMacroProviderOnBoot) and lowers Outlook’s macro safety stage to let all macros execute, suppressing safety dialogs.
The next code snippet reveals a standard Splunk detection seek for registry adjustments:-
tstats security_contents_summaries_only depend FROM datamodelEndpoint.Registry WHERE Registry.registrypath=HKCUSoftware programMicrosoftWorkplaceOutlookSafetyLoadMacroProviderOnBoot Registry.registryvaluedata=0x00000001
Outlook Safety Registry Modifications (Supply – Splunk)
Defenders can observe these Splunk detection fashions to catch NotDoor malware, waiting for macro file occasions and registry modifications that sign an infection and persistence.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most popular Supply in Google.
