Russian state-sponsored hackers have developed a sophisticated new backdoor malware called “NotDoor” that specifically targets Microsoft Outlook users, enabling attackers to steal sensitive data and gain complete control over compromised systems.
The NotDoor malware has been attributed to APT28, the notorious Russian cyber-espionage group also known as Fancy Bear.
This threat actor is linked to Russia’s General Staff Main Intelligence Directorate (GRU) and has been active for over a decade, responsible for high-profile cyberattacks including the 2016 Democratic National Committee breach and intrusions into the World Anti-Doping Agency.
The discovery was published by LAB52, the threat intelligence unit of Spanish cybersecurity firm S2 Grupo, highlighting the group’s continuous evolution in developing new methods to bypass modern defense mechanisms.
How NotDoor Operates
NotDoor is a stealthy malware written in Visual Basic for Applications (VBA), the scripting language used to automate tasks within Microsoft Office applications.
The backdoor demonstrates remarkable sophistication in its approach to compromising Outlook users.
The malware operates by monitoring incoming emails for specific trigger words, such as “Daily Report.”
When an email containing these triggers is detected, the malware activates, enabling attackers to execute malicious commands on the victim’s system.
The name “NotDoor” was coined by researchers due to the frequent use of the word “Nothing” within the malware’s code structure.
NotDoor employs several advanced techniques to avoid detection by security software:
Code Obfuscation: The malware’s code is intentionally scrambled using randomized variable names and custom encoding methods, making analysis extremely difficult for security researchers.
DLL Side-Loading: The malware exploits a legitimate, signed Microsoft binary called OneDrive.exe to load malicious DLL files. This technique makes the malware appear as a trusted process, helping it evade security controls.
Registry Modification: For persistence, NotDoor alters Outlook’s registry settings, disabling security warnings about macros and suppressing user prompts. This allows the malware to run silently without alerting victims.
Attack Methodology
The malware cleverly abuses legitimate Outlook features to maintain persistence and remain hidden. It uses event-driven VBA triggers, including Application_MAPILogonComplete (which runs when Outlook starts) and Application_NewMailEx (activated when new emails arrive).
Once active, NotDoor creates a hidden directory to store temporary files. These files are then exfiltrated to an attacker-controlled email address ([email protected]) before being deleted from the victim’s system.
The malware confirms successful execution by sending callbacks to a webhook site, providing attackers with real-time confirmation of compromise.
According to S2 Grupo’s analysis, the NotDoor malware has already been successfully used to compromise multiple companies across various sectors in NATO member countries.
This demonstrates the malware’s effectiveness and the threat group’s strategic targeting of Western organizations. Security experts recommend several defensive measures to protect against NotDoor attacks:
Organizations should disable macros by default across their systems, as this eliminates the primary attack vector.
IT teams should also implement close monitoring for unusual activity within Outlook applications and inspect email-based triggers that could be exploited by similar malware.
The emergence of NotDoor represents another escalation in APT28’s ongoing cyber warfare capabilities, demonstrating the group’s ability to adapt and develop increasingly sophisticated tools for espionage and system compromise.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
