In a sophisticated malware campaign, attackers distributed MSIX malware using a fake Notion website. They have gone to great lengths to create a deceptive distribution website that mirrors the legitimate Notion homepage, putting unsuspecting users at risk.
Cybersecurity researchers from ASEC exposed the methodology of this attack. When users click the download button, they are given a file named ‘Notion-x89.msix,’ seemingly the official Windows app installer. This campaign is particularly insidious because the file is signed with a valid certificate, enhancing its credibility and making it more challenging for users to identify the threat.
Once the user runs the installer and clicks the Install button, Notion is installed on the PC. Simultaneously, the malware is silently injected into the system, initiating malicious activities. Two files, namely ‘StartingScriptWrapper.ps1’ and ‘refresh.ps1,’ are created within the application’s path during the installation process.
The ‘StartingScriptWrapper.ps1’ file appeared to be legitimate, containing an MS signature and the ability to execute a Powershell script given as an argument. This script facilitates the reading of the ‘config.json’ configuration file inside the package and the execution of a certain Powershell script. However, the actual threat lies in the ‘refresh.ps1’ file, which is the malware itself.
Security researchers discovered that the ‘refresh.ps1’ file is obfuscated using black characters, with integers added to variables consisting of blanks, multiplication, and addition. Despite the obfuscation, the executed command at the end of the script is a concise 200-character-long command.
This command serves the purpose of downloading additional Powershell commands from a command-and-control (C2) server and executing them. Although the C2 server is currently not responding, as discovered by the researchers, the analysis team has confirmed the distribution of LummaC2 malware in the preliminary investigation.
Furthermore, an in-house log has unveiled a file named ‘1.dat’ from ‘hxxps://fleetcontents.com/’ was downloaded and run inside PowerShell.exe. This file is a .NET EXE that employs process hollowing to inject LummaC2 into ‘RegAsm.exe’ and execute it.
LummaC2 info stealer has been seen quite often in the news. On January 9, it was reported that hackers were using YouTube channels to distribute Lumma Stealer. In October last year, it was discovered that the threat actors were using Discord’s content delivery network (CDN) to distribute Lumma.
Researchers have urged users to scrutinise files before downloading and ensure they are from official domains. They also cautioned to verify the signature author, even when the certificate appears legitimate.
In the News: Apple vs Epic: EU demands explanation on app ban
