""APT28 is abusing Outlook as a covert channel through a VBA macro backdoor named NotDoor," Jason Soroko, Senior Fellow at Sectigo, explains. "Delivery uses DLL sideloading of a malicious SSPICLI.dll by the signed OneDrive.exe to disable macro protections and stage commands. The macro watches inbound mail for a trigger word and can exfiltrate data upload files and run commands. This blends with trusted binaries and normal mail flow and can slip past perimeter tools and basic detections.""
""This is a significant development, and it highlights a few key points that organizations and security teams need to address immediately. The use of Microsoft Outlook as a vector is particularly concerning because of its ubiquity in business environments. APT28 leveraging Outlook macros as a covert communication and data exfiltration channel underscores the importance of hardening email systems and endpoint defenses. This isn't just about patching vulnerabilities, it's about recognizing that trusted applications like Outlook can be weaponized in ways that bypass traditional defenses.""
A new Outlook backdoor linked to APT28 leverages a legitimate signed binary to deploy a malicious DLL that disables macro security defenses. The malicious SSPICLI.dll is sideloaded by the signed OneDrive.exe to disable macro protections and stage further commands. After macro protections are disabled, a VBA macro named NotDoor is delivered into targeted networks. The macro monitors inbound mail for a trigger word and can exfiltrate data, upload files, and execute commands. The technique blends with trusted binaries and normal mail flow to evade perimeter tools and basic detections. Hardening email systems, endpoint defenses, application whitelisting, and monitoring of signed binaries are critical mitigations.
Read at Securitymagazine
Unable to calculate read time
Collection
[
|
...
]