Outlook NotDoor backdoor malware first appeared in threat campaigns identified by Lab52, the intelligence arm of Spanish firm S2 Grupo.
Linked to APT28/Fancy Bear, NotDoor leverages malicious Outlook macros for persistent access and data theft. Attackers embed these macro payloads within Outlook’s data files to monitor incoming emails and trigger hidden code on infected systems.
This has enabled advanced persistent threat groups to quietly exfiltrate files, execute commands, and maintain stealthy control by abusing a trusted application.
Initial compromise often begins with DLL sideloading. Threat actors place a maliciously crafted SSPICLI.dll next to the legitimate OneDrive.exe, exploiting how Windows prioritizes loading DLLs.
The fake DLL allows the actor to execute commands and stage malware components without raising alarms.
Infection artifacts include multiple files: a real OneDrive.exe, SSPICLI.dll (malicious), tmp7E9C.dll (renamed legitimate DLL), and testtemp.ini containing the VBA macro. These details are crucial for defenders tracking suspicious file events and Registry modifications.
Splunk security researchers were among the first to thoroughly analyze NotDoor. Their deep dive revealed encoded PowerShell commands launched by OneDrive.exe and how the malware quietly creates TEMP directories for dropped artifacts.
The detection guide by Splunk helps defenders recognize rogue processes spawning PowerShell, network calls, and registry changes that activate macro auto-loading, disable security prompts, or allow all macros without warning.
This research provides valuable blueprints for building reliable detection.
Outlook Macro Persistence and Obfuscation
A key NotDoor technique involves copying the macro-laden testtemp.ini file to Outlook’s VBAProject.OTM location within the user’s Roaming directory.
This file holds all custom automation and email-handling macros for Outlook. Under normal circumstances, only Outlook should write here, so any outside process (such as malware) is highly suspicious.
The macro backdoor sets up C2 communications: it can receive and execute attacker instructions via email triggers, and quietly send data back out.
It relies on obfuscation, randomized variable names, and custom encoding to slip past simple scans. Splunk researchers pinpointed registry modifications as pivotal for persistence.
The malware changes settings to automatically load the malicious macro at startup (LoadMacroProviderOnBoot) and lowers Outlook’s macro security level to let all macros execute, suppressing security dialogs.
The following code snippet shows a common Splunk detection search for registry changes:-
tstats security_contents_summaries_only count FROM datamodelEndpoint.Registry WHERE Registry.registrypath=HKCU\Software\Microsoft\Office\Outlook\Security\LoadMacroProviderOnBoot Registry.registryvaluedata=0x00000001.webp "Researchers Detailed Techniques to Detect Outlook NotDoor Backdoor Malware 3")
Defenders can follow these Splunk detection models to catch NotDoor malware, watching for macro file events and registry modifications that signal infection and persistence.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
