The Russian state-sponsored hacking group tracked as APT28 is attributed to a new Microsoft Outlook Backdoor called NotDoor, an attack targeting multiple companies in various sectors of NATO member countries.
According to S2 Grupo’s Lab52 Threat Intelligence team, NotDoor is an Outlook VBA macro designed to monitor incoming emails with specific trigger words. “If such email is detected, the attacker can remove the data, upload the file, and run the command on the victim’s computer.”
Artifact retrieves the name from the use of the word “Nothing” in the source code, the Spanish cybersecurity company added. This activity highlights stealth communication, data removal and abuse of the outlook as a malware delivery channel.
The exact initial access vector used to deliver malware is currently unknown, but the analysis shows that it is being deployed via Microsoft’s OneDrive executable (“onedrive.exe”) using a technique called DLL sideload.
This leads to the execution of a malicious dll (“sspicli.dll”), installing a VBA backdoor and disabling macro security protection.
Specifically, run a Base64-encoded PowerShell command to perform a series of actions that include beacons to an attacker-controlled webhook[.]It allows site, registry changes to set persistence, macros to run, and turn off Outlook-related dialog messages to avoid detection.
NotDoor is designed as a Visual Basic (VBA) project for Outlook observations using Application.MapilogonComplete and Application.NewMailex events.
Then, if it does not exist, create a folder with path %TEMP%\TEMP, save the TXT file created during the operation and use it as a staging folder to extend it to your proton email address. It also parses incoming messages with trigger strings such as “Daily Report”, extracts and executes embedded commands.
Malware supports 4 different commands –
CMD, to run the command to return standard output as email attachment CMDNO, to run the command, send it as an email attachment UPL and drop the file onto the victim’s computer to exfltreate the file from the victim’s computer
“Files excluded by malware are stored in folders,” Lab52 said. “The contents of the file will be encoded using custom malware encryption, sent via email, and removed from the system.”
This disclosure highlights the use of Telegram-owned telegraphs as an evolving commerce for the detailed Gammerderson (a.k.a. APT-C-53) of the Beijing-based 360 Threat Intelligence Centre as a dead-drop resolution pointing to command-and-control (C2) infrastructure.
The attack is also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to safely publish local web services to the Internet for testing and debugging purposes, as a C2 domain for developers to add stealth.
“This technique offers two advantages. First, the original C2 server IP is fully masked by Microsoft’s relay nodes, blocking threat intelligent racebacks based on IP reputation,” the cybersecurity company said.
Second, attackers can quickly rotate infrastructure nodes and leverage the trusted credentials and traffic scale of mainstream cloud services to quickly rotate infrastructure nodes to maintain near-zero-edge positor continuous threat operations.
The attack chain involves using fake CloudFlare worker domains and delivers visual basic scripts like Pterolnk. This allows you to transmit infection to other machines by copying it to a connected USB drive and add additional downloads.
payload.
“This attack chain demonstrates a high level of specialized design, using four-layer obfuscation (registry persistence, dynamic compilation, pass masquerade, and cloud service abuse) to perform completely hidden operations from initial porting to data removal,” the 360 Threat Intelligence Center said.
Source link
