Beware! Fake Notion Installer Spreads Data-Stealing Malware

Researchers at the AhnLab Security Emergency Response Center (ASEC) have uncovered a disturbing malware campaign that’s cleverly disguised as a legitimate installer for the popular Notion productivity software. This insidious scheme could put sensitive data from unsuspecting individuals and businesses at significant risk.

A website that distributes malware | Image: ASEC

The Deception

• Fake Websites: The attackers have created fraudulent websites that mimic the official Notion homepage with meticulous detail.
• Trojanized Installer: Upon clicking the download button, victims receive a file named “Notion-x86.msix” – a Windows app installer format. Crucially, it’s signed with a valid certificate, making it appear deceptively trustworthy.
• Double Attack: When the user runs the file, Notion itself gets installed – but the system is simultaneously infected with dangerous malware.

The Malware’s Attack Strategy

1. Hidden Execution: The malware leverages legitimate PowerShell scripts, including “StartingScriptWrapper.ps1”, to execute its malicious payload while staying under the radar.
2. Code Obfuscation: The main malware script, “refresh.ps1”, employs sophisticated obfuscation with blank characters to mask its true intent.
3. Command Download: The malware establishes communication with a command and control (C2) server to download further instructions. While the primary C2 is currently unresponsive, it was observed distributing the LummaC2 malware previously.
4. Secondary Payload: Investigations reveal the use of a .NET executable file (“1.dat”) that likely deploys additional payloads and injects the LummaC2 malware into a legitimate Windows process (“RegAsm.exe”) using process hollowing techniques.

The Threat: LummaC2 Infostealer

LummaC2 is a notorious infostealer designed to exfiltrate a wide range of confidential data, including:

• Browser history and saved credentials
• Cryptocurrency wallet information
• Sensitive files

How to Protect Yourself

• Source Verification: Always download software only from official websites. Double-check the website’s address (URL) for any subtle differences from the legitimate domain.
• Check Signatures: Even with valid certificates, be vigilant. Research the certificate’s issuer for reliability.
• Be Wary of MSIX Files: Exercise extra caution when handling MSIX installers. Several malware campaigns have been exploiting this format.

Stay Alert, Stay Safe

This malware campaign highlights the growing sophistication of cyberattacks. Remember, even seemingly legitimate software and familiar formats can be weaponized. Staying vigilant and adopting cybersecurity best practices is essential.