Verticals Targeted: Not specified
Regions Targeted: NATO countries
Related Families: None
Executive Summary
Fancy Bear, a Russian intelligence-linked threat actor group, has deployed NotDoor, a sophisticated VBA macro-based Outlook backdoor targeting multiple sectors in NATO member countries. The malware leverages DLL side-loading and email triggers to enable data exfiltration, file uploads, and command execution while evading detection.
Key Takeaways
- NotDoor uses a legitimate Microsoft OneDrive.exe binary for DLL side-loading to deploy a malicious VBA macro in Outlook.
- The backdoor activates via specific email triggers to execute commands and exfiltrate data.
- Persistence is achieved through registry modifications, enabling macro execution and disabling user alerts.
- The malware employs custom string encoding and obfuscation to conceal its operations.
What is NotDoor?
Fancy Bear, a Russian intelligence-linked threat group, continues to advance its tactics with NotDoor, a novel Outlook backdoor identified by LAB52, the intelligence team at S2 Grupo. This VBA macro-based malware targets organizations across multiple sectors in NATO member countries, showcasing Fancy Bear’s focus on high-value targets. By exploiting legitimate system components and employing sophisticated obfuscation, NotDoor demonstrates the group’s ability to bypass conventional security measures while maintaining stealth.
The infection chain begins with Fancy Bear leveraging a legitimate, signed Microsoft OneDrive.exe binary, vulnerable to DLL side-loading. This technique loads a malicious DLL, SSPICLI.dll, which deploys the VBA backdoor by copying a malicious file from `c:\programdata\testtemp.ini` to `%APPDATA%\Microsoft\Outlook\VbaProject.OTM`, where Outlook executes the embedded macros. To ensure persistence, Fancy Bear modifies the Windows registry, enabling automatic macro execution upon Outlook startup. The malware further disables macro security protections by altering the `Level` subkey under `Software\Microsoft\Office\16.0\Outlook\Security` and suppresses user dialogue messages to minimize detection risks.
NotDoor’s functionality hinges on Outlook’s event-driven architecture, utilizing events to trigger code execution when Outlook starts or a new email arrives. The backdoor monitors incoming emails for specific trigger strings, such as “Daily Report,” which activate its malicious capabilities. Upon detecting a trigger, the malware parses the email for encrypted commands and an exfiltration email address, using a custom encoding technique that prepends random alphanumeric characters to Base64 strings for obfuscation. Supported commands include `cmd` (execute commands and return output), `cmdno` (execute commands without output), `dwn` (exfiltrate files as email attachments), and `upl` (upload files to the victim’s system). Exfiltrated files are stored in `%TEMP%\Temp`, named using predefined formats and extensions, and sent to an attacker-controlled email before being deleted.
Fancy Bear employs additional techniques to confirm successful execution. The malicious DLL executes three Base64-encoded PowerShell commands: one copies the malicious file to the Outlook directory, another performs an nslookup to a webhook.site domain incorporating the victim’s username, and the third sends a curl request to a similar webhook.site URL. These network interactions, previously observed in Fancy Bear’s campaigns, verify the malware’s deployment.
The backdoor’s obfuscation includes randomized variable and function names, complicating analysis. Its custom encoding further masks its operations, creating the appearance of encrypted data. By leveraging Outlook’s native functionality and legitimate binaries, NotDoor maintains a low detection profile.
Who is Fancy Bear?
Fancy Bear, also known as APT28, Sofacy, STRONTIUM, Sednit, Pawn Storm, Tsar Team, and Forest Blizzard, is a Russia nexus threat actor group active since at least 2007. Fancy Bear is widely believed to be affiliated with Russia’s Main Intelligence Directorate (GRU), specifically Units 26165 and 74455. Their targeting aligns with Russian geopolitical interests, including NATO, EU, and Ukrainian entities, with evidence of Russian-language malware and operational patterns matching GRU priorities. Fancy Bear targets aerospace, defense, energy, government, media, and dissidents across countries including Afghanistan, Brazil, France, Germany, Ukraine, and the United States. Their past operations have focused on military intelligence, political influence, and election interference.
Fancy Bear employs sophisticated tactics, including spear-phishing with tailored emails containing malicious attachments or links to spoofed login pages, often mimicking trusted sources like government or news outlets. They exploit zero-day vulnerabilities in software, such as Microsoft Outlook (CVE-2023-23397), to steal credentials and gain network access. The group deploys custom malware like Zebrocy, X-Agent, CHOPSTICK, Drovorub, and GooseEgg for data theft, persistence, and lateral movement. They use watering hole attacks, compromising websites frequented by targets, and password-spraying attacks on weak credentials, often leveraging Kubernetes clusters. Fancy Bear also creates online personas, such as Guccifer 2.0 and Fancy Bears’ Hack Team, to leak stolen data and spread disinformation.
IOCs
PolySwarm has multiple samples of NotDoor.
fcb6dc17f96af2568d7fa97a6087e4539285141206185aec5c85fa9cf73c9193
5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705
8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901
You can use the following CLI command to search for all NotDoor samples in our portal:
$ polyswarm link list -f NotDoor
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
