A newly discovered backdoor, linked to the infamous Russian cyber-espionage group APT28 (Fancy Bear), is targeting Microsoft Outlook users. The malware enables attackers to steal sensitive information, upload malicious files, and execute commands to take full control of compromised devices.
What is NotDoor?
Researchers at LAB52, the threat intelligence division of Spanish cybersecurity firm S2 Grupo, uncovered the malware, naming it “NotDoor” due to the presence of the word “Nothing” in its code. Written in Visual Basic for Applications (VBA), the same scripting language used in Microsoft Office, NotDoor disguises itself by abusing Outlook’s normal features to stay hidden.
How the Malware Works
The malware activates when it detects specific trigger words in emails such as “Daily Report.” Once triggered, NotDoor allows attackers to issue malicious commands.
To remain undetected, it uses:
- Code Obfuscation: Variables and encoding methods are scrambled, making analysis difficult.
- DLL Side-Loading: It leverages a legitimate Microsoft binary (OneDrive.exe) to load a malicious DLL.
- Registry Changes: It disables macro security warnings and suppresses alerts, ensuring persistence.
Once operational, NotDoor creates a hidden directory to store temporary files. These files are then sent to an attacker-controlled email address (a.matti444@proton[.]me) before being deleted. The malware also confirms successful execution via callbacks to a webhook site.
Outlook-Specific Exploitation
NotDoor takes advantage of Outlook’s event-driven VBA triggers, such as:
- Application_MAPILogonComplete (runs at Outlook startup)
- Application_NewMailEx (activates when new emails arrive)
These features make the malware blend into Outlook’s normal processes, making detection much harder.
Who is Behind the Attack?
APT28, also known as Fancy Bear, is believed to be tied to Russia’s GRU (General Staff Main Intelligence Directorate). The group has been active for over a decade, conducting major cyberattacks such as:
- The 2016 Democratic National Committee (DNC) breach during the U.S. election.
- Intrusions into the World Anti-Doping Agency (WADA).
The NotDoor campaign shows that APT28 continues to evolve with advanced evasion and persistence techniques to bypass modern defenses.
Global Impact and Defense
According to S2 Grupo, NotDoor has already affected organizations across NATO member states, targeting multiple industries.
Security Recommendations:
- Disable macros by default across corporate environments.
- Monitor Outlook activity for unusual behavior.
- Inspect email-based triggers that could be used to launch malware.
