[[{“value”:”
A sophisticated backdoor linked to the notorious Russian cyber-espionage group APT28 allows attackers to exfiltrate data, upload files, and execute commands on compromised computers.
The new, sophisticated backdoor targets Microsoft Outlook, which allows threat actors to steal data and take control of a victim’s machine.
The malware, dubbed “NotDoor,” has been attributed to the Russian state-sponsored cyber threat group APT28, also known as Fancy Bear. LAB52 published the findings, the threat intelligence unit of Spanish cybersecurity firm S2 Grupo.
NotDoor is a stealthy malware written in Visual Basic for Applications (VBA), the scripting language used to automate tasks within Microsoft Office applications.
The backdoor is designed to monitor a victim’s incoming emails for specific trigger words, such as “Daily Report.” When an email containing the trigger is detected, the malware activates, enabling attackers to execute malicious commands.
The name ‘NotDoor’ was coined by researchers due to the use of the word ‘Nothing’ within the malware’s code.
‘NotDoor’ Malware Attacks Outlook Users
The malware cleverly abuses legitimate Outlook features to remain hidden and maintain persistence. It uses event-driven VBA triggers, such as Application_MAPILogonComplete, which runs when Outlook starts, and Application_NewMailEx, which is activated upon the arrival of a new email, S2 Grupo said.
To evade detection by security software, NotDoor employs several sophisticated techniques:
- Code Obfuscation: The malware’s code is intentionally scrambled with randomized variable names and a custom encoding method to make analysis difficult.
- DLL Side-Loading: It uses a legitimate, signed Microsoft binary,
OneDrive.exe, to load a malicious DLL file. This technique helps the malware appear as a trusted process. - Registry Modification: For persistence, NotDoor alters Outlook’s registry settings. It disables security warnings about macros and suppresses other prompts, allowing it to run silently without alerting the user.
Once active, the backdoor creates a hidden directory to store temporary files, which are then exfiltrated to an attacker-controlled email address (a.matti444@proton[.]me) before being deleted. The malware confirms its successful execution by sending callbacks to a webhook site.
APT28 is a well-known threat actor linked to Russia’s General Staff Main Intelligence Directorate (GRU). Active for over a decade, the group has been responsible for numerous high-profile cyberattacks, including the 2016 breach of the Democratic National Committee (DNC) during the U.S. presidential election and intrusions into the World Anti-Doping Agency (WADA).
This new tool demonstrates the group’s continuous evolution and its ability to develop new methods to bypass modern defense mechanisms.
According to S2 Grupo, the NotDoor malware has already been used to compromise multiple companies across various sectors in NATO member countries.
To defend against this threat, security experts recommend that organizations disable macros by default across their systems, closely monitor for any unusual activity within Outlook, and inspect email-based triggers that could be exploited by such malware.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post New ‘NotDoor’ Malware Attacks Outlook Users to Exfiltrate Data and Compromise Computers appeared first on Cyber Security News.
“}]]
Read More 
Cyber Security News