Researchers have detailed sophisticated techniques to detect the Outlook NotDoor backdoor malware, a stealthy threat linked to the APT28/Fancy Bear threat group. This backdoor malware, first identified by Lab52, the intelligence arm of S2 Grupo, leverages malicious Outlook macros to achieve persistent access and facilitate data theft. By embedding macro payloads within Outlook’s data files, attackers can monitor incoming emails and trigger hidden code on infected systems, enabling advanced persistent threat groups to exfiltrate files, execute commands, and maintain covert control over targeted environments.
The initial compromise vector for NotDoor malware often begins with a DLL sideloading technique. Threat actors strategically place a malicious SSPICLI.dll file adjacent to the legitimate OneDrive.exe. This exploits how Windows prioritizes loading dynamic-link libraries, causing the system to execute the attacker-controlled DLL instead of the intended one. The rogue DLL then empowers the actor to execute commands and stage further malware components without immediately raising security alerts. The presence of specific infection artifacts, including OneDrive.exe, the malicious SSPICLI.dll, a renamed legitimate DLL (tmp7E9C.dll), and a testtemp.ini file containing the VBA macro, are crucial indicators for defenders actively monitoring suspicious file events and registry modifications.
Outlook Macro Persistence and Obfuscation Techniques
A primary tactic employed by the NotDoor backdoor malware involves copying the macro-laden testtemp.ini file to Outlook’s VBAProject.OTM location within the user’s Roaming profile. This file is integral to Outlook’s custom automation and email-handling macros. Typically, only Outlook itself should write to this directory, making any external process that modifies it a significant red flag for security professionals. The macro backdoor systematically establishes command and control (C2) communications, capable of receiving and executing attacker instructions via email triggers, and discreetly exfiltrating data.
To evade detection, NotDoor employs obfuscation techniques, including randomized variable names and custom encoding methods, which can circumvent basic security scans. Splunk security researchers, who were among the first to conduct a thorough analysis of NotDoor, revealed that encoded PowerShell commands are launched by OneDrive.exe. The malware also creates temporary directories to house dropped artifacts. Furthermore, the malware modifies critical registry settings to ensure its persistence. This includes changes to automatically load the malicious macro upon system startup by altering the `LoadMacroProviderOnBoot` registry value and significantly lowering Outlook’s macro security settings. This reduction allows all macros to execute without user intervention, effectively suppressing security dialogs and warnings.
The following Splunk detection search query illustrates how defenders can identify these specific registry alterations, indicating a potential NotDoor infection:
tstats security_contents_summaries_only count FROM datamodelEndpoint.Registry WHERE Registry.registrypath=HKCU\Software\Microsoft\Office\Outlook\Security\LoadMacroProviderOnBoot Registry.registryvaluedata=0x00000001
Following these Splunk detection models, cybersecurity professionals can effectively monitor for macro file events and registry modifications that signal NotDoor malware activity and its persistence mechanisms. This detailed technical analysis and the development of specific detection rules are vital in staying ahead of advanced persistent threat groups employing such sophisticated attack vectors.
The ongoing research into NotDoor highlights the persistent threat posed by macro-based malware, particularly within widely used applications like Microsoft Outlook. As threat actors continue to refine their evasion and persistence techniques, the development of robust detection and response capabilities remains a critical priority for cybersecurity professionals. Future efforts will likely focus on enhancing real-time threat intelligence sharing and developing more advanced behavioral analysis tools to counter such sophisticated backdoors.