"NotDoor "is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word," S2 Grupo's LAB52 threat intelligence team said. "When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim's computer." The artifact gets its name from the use of the word "Nothing" within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel."
"NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives. It then proceeds to create a folder at the path %TEMP%\Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address."
NotDoor is a VBA macro for Outlook that monitors incoming emails for a specific trigger word and enables data exfiltration, file upload, and remote command execution when triggered. The implant is delivered via DLL side-loading of Microsoft's OneDrive executable (onedrive.exe), which executes a malicious SSPICLI.dll that installs the VBA backdoor and disables macro security protections. The backdoor runs Base64-encoded PowerShell to beacon to an attacker-controlled webhook.site, set persistence via Registry modifications, enable macros, and suppress Outlook-related dialogues. It uses Application.MAPILogonComplete and Application.NewMailEx to execute on startup or new mail. The malware stages TXT files in %TEMP%\Temp and exfiltrates them to a Proton Mail address.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]