S2 Grupo’s intelligence team discovered a new Outlook backdoor linked to a Russian-linked persistent threat group known as APT28. The researchers explained how the threat actors are leveraging a legitimate signed binary to deploy the backdoor, then loading a malicious file to disable macro security defenses. Once this is done, the VBA macro is delivered into targeted networks.
“APT28 is abusing Outlook as a covert channel through a VBA macro backdoor named NotDoor,” Jason Soroko, Senior Fellow at Sectigo, explains. “Delivery uses DLL sideloading of a malicious SSPICLI.dll by the signed OneDrive.exe to disable macro protections and stage commands. The macro watches inbound mail for a trigger word and can exfiltrate data upload files and run commands. This blends with trusted binaries and normal mail flow and can slip past perimeter tools and basic detections.”
Educational Webinars, Videos & Podcasts: Receive cutting-edge insights and invaluable resources, empowering you to stay ahead in the dynamic world of security.
Empowering Content: At your computer or on-the-go, stay up-to-date when you receive our eNewsletters curated with the latest technology and services that address physical, logical, cyber and enterprise resilience.
Unlimited Article Access: Dive deep into the world of cybersecurity and risk management leadership with unlimited access to our library of online articles.