🧵Notion for malware delivery🦠
WhisperGate's Discord CDN hosted malware had me thinking, what other common desktop apps have similar file embed/retrieval capabilities?
How about my favorite notetaking app, Notion?
1- Embed your payload. I'm using a Covenant Grunt HTA
WhisperGate's Discord CDN hosted malware had me thinking, what other common desktop apps have similar file embed/retrieval capabilities?
How about my favorite notetaking app, Notion?
1- Embed your payload. I'm using a Covenant Grunt HTA
2- Running a web proxy of your choice, click to download the HTA you just embedded. Intercept this request and find the GET request to the AWS S3 resource for this file
3- This link is now your phishing/social engineering method. Deck it out with tradecraft (shorten it, come up with a good pretext, get creative)
Once the target clicks on this link, you have a file-less payload delivery mechanism coming from a high trust domain, S3 AWS
Once the target clicks on this link, you have a file-less payload delivery mechanism coming from a high trust domain, S3 AWS
4- 😈
good news, red teamers!
@NotionHQ's response to this was that this is intended functionality that a resource, regardless of access rights, is available to anyone for 24 hours if they have this link. So you now have an engine for unlimited high-trust (S3 AWS!) payload links
@NotionHQ's response to this was that this is intended functionality that a resource, regardless of access rights, is available to anyone for 24 hours if they have this link. So you now have an engine for unlimited high-trust (S3 AWS!) payload links
• • •
Missing some Tweet in this thread? You can try to
force a refresh
