NotDoor Malware

MITRE Techniques

• [T1036 ] Masquerading – Uses a legitimate signed Microsoft OneDrive.exe binary to load a malicious SSPICLI.dll via DLL side-loading (“the infection chain begins with Fancy Bear leveraging a legitimate, signed Microsoft OneDrive.exe binary, vulnerable to DLL side-loading”).
• [T1213 ] Data from Information Repositories – Exfiltrates files via email attachments and stores them in %TEMP%Temp before sending (“Exfiltrated files are stored in %TEMP%Temp, named using predefined formats and extensions, and sent to an attacker-controlled email”).
• [T1112 ] Modify Registry – Achieves persistence and disables macro prompts by modifying Outlook registry keys under SoftwareMicrosoftOffice16.0OutlookSecurity (“modifies the Windows registry, enabling automatic macro execution… further disables macro security protections by altering the `Level` subkey”).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Executes Base64-encoded PowerShell commands to copy payloads and perform network callbacks (“the malicious DLL executes three Base64-encoded PowerShell commands… one copies the malicious file… another performs an nslookup… the third sends a curl request”).
• [T1064 ] Scripting – Uses VBA macros within Outlook to implement backdoor functionality and trigger on Outlook events (“a VBA macro-based malware… Outlook executes the embedded macros” and “utilizing events to trigger code execution when Outlook starts or a new email arrives”).
• [T1566.001 ] Phishing: Spearphishing Attachment – Initial delivery and activation rely on malicious attachments/macros in Outlook-triggering emails and specific trigger strings (“The backdoor monitors incoming emails for specific trigger strings, such as ‘Daily Report,’ which activate its malicious capabilities”).
• [T1033 ] System Owner/User Discovery – Uses victim username in DNS/webhook checks to confirm deployment (“performs an nslookup to a webhook.site domain incorporating the victim’s username”).