Built one of these as part of an RT exercise a few months ago after our TI guys flagged some articles about them, BSL/LwiS had listed the Cisco article (I think). It deployed well, no detections. Started it from a BitB style window on a few endpoints, user clicked etc. Like this sample, S2 dl’d some payloads to specified location, decrypted/decompressed then performed side loading to launch a C2 callback. SOC got some good custom detection data out of it.
Solid effort! Well done! I especially value that it helped your SOC get some custom detections out of it which fingers crossed will help find malice in the future 👌
does the malware only get installed and launched if the user clicked "install" and went through the installation? Or does it run as soon as they double click it? I'm parannoyed cuz I happened to open the installer for the fake notion one, but I noticed right away that it was off and my antivirus quarentined it automatically before I could react. I don't want my accounts hacked.
Only gets installed if you clicked install yeah. If it did you'd be able to find remnants in C:\users\[yourusername]\appdata\local\packages\ which would have the notion application named folder and localcache oaming inside of that.
Built one of these as part of an RT exercise a few months ago after our TI guys flagged some articles about them, BSL/LwiS had listed the Cisco article (I think). It deployed well, no detections. Started it from a BitB style window on a few endpoints, user clicked etc. Like this sample, S2 dl’d some payloads to specified location, decrypted/decompressed then performed side loading to launch a C2 callback. SOC got some good custom detection data out of it.
Solid effort! Well done! I especially value that it helped your SOC get some custom detections out of it which fingers crossed will help find malice in the future 👌
Haven't seen any of these in my day job yet, but probably just a matter of time. Thanks for the info on this!
No worries at all! They're definitely doing the rounds at the moment so I'm afraid that it may only be a matter of time too. All the best!
does the malware only get installed and launched if the user clicked "install" and went through the installation? Or does it run as soon as they double click it?
I'm parannoyed cuz I happened to open the installer for the fake notion one, but I noticed right away that it was off and my antivirus quarentined it automatically before I could react. I don't want my accounts hacked.
Only gets installed if you clicked install yeah.
If it did you'd be able to find remnants in C:\users\[yourusername]\appdata\local\packages\ which would have the notion application named folder and localcache
oaming inside of that.
@@cyberraiju thank you!
Thanks for the analysis!
My pleasure! Thanks for watching.
Thank you... this is insightful ❤
wikipedia citations link to sites which try to spread this type of stuff
Thanks, That was really helpful
You're welcome! Glad I could help! 🙂
Thank you
You're welcome! 😄