Analyzing NotDoor: Inside APT28's Expanding Arsenal

Description

LAB52 has identified a new backdoor called NotDoor, attributed to APT28, a Russian intelligence-linked threat group. NotDoor is a VBA macro for Outlook that monitors incoming emails for specific trigger words, enabling data exfiltration, file uploads, and command execution on victim computers. The backdoor is deployed via Microsoft OneDrive.exe using DLL side-loading, and it establishes persistence by modifying registry keys. NotDoor employs obfuscation techniques and a custom string encoding method. It can execute commands, exfiltrate files, and upload files to the victim's machine. The malware demonstrates APT28's continuous evolution in bypassing defense mechanisms, posing a significant threat to NATO member countries across various sectors.