Distribution of MSIX Malware Disguised as Notion Installer

An MSIX malware disguised as the Notion installer is being distributed. The distribution website looks similar to that of the actual Notion homepage.

Figure 1. Website that distributes malware

The user gets a file named “Notion-x86.msix” upon clicking the download button. This file is Windows app installer, and it is signed with a valid certificate.

Figure 2. The signature information of the malicious installer

The user gets the following pop-up upon running the file. Upon clicking the Install button, Notion is installed on the PC and is infected with malware.

Figure 3. Installation process of the malicious installer

Upon installing, StartingScriptWrapper.ps1 and refresh.ps1 files are created inside the application’s path. The StartingScriptWrapper.ps1 file is a legitimate file that contains the MS signature with a feature of executing the Powershell script given as an argument. This file allows the config.json configuration file inside the package to be read during the installation process. It then allows the execution of a certain Powershell script. The package’s config.json is configured to run refresh.ps1 as shown below:

Figure 4. config.json’s file content

The file that is run during this process (refresh.ps1) is the actual malware, and it performs the feature of downloading commands from C2 and running them.

The refresh.ps1 file is obfuscated using blank characters, and the string is completed by adding an integer to each variable consisting of blanks and adding or multiplying them. The obfuscated script consists of 8,663 characters, but the string executed at the end is a 200-character long command.

Figure 5. refresh.ps1’s file content

Figure 6. Unobfuscation of refresh.ps1

This command downloads additional Powershell commands from the C2 server and executes them. The C2 server is currently not responding properly, but the analysis team confirmed the distribution of LummaC2 malware during the initial analysis.

Additionally, the in-house logs revealed that the hxxps://fleetcontents.com/1.dat file was downloaded and run inside PowerShell.exe. Given the information, this C2 likely responded to the command to download and load 1.dat from other C2.

1.dat is a .NET EXE file that uses the process hollowing technique to inject LummaC2 into RegAsm.exe and run it.

The process tree of the malicious behavior is as follows. As it is executed via Windows Installer, the behavior begins from the relevant service host.

Figure 7. The process tree

LummaC2 is an Infostealer that can steal data such as the browser information, cryptocurrency information, and files. For information about LummaC2, check the following blog article.

• New Infostealer LummaC2 Being Distributed Disguised As Illegal Cracks

Before running the files, users should check whether the files are from the domains of official websites and check the signature author even when the files are signed with legitimate certificates. And extra caution is advised when executing MSIX files, because multiple malicious variations take disguise of not only Notion, but also applications such as Slack, WinRar, and Bandicam.

[IOC Information]

Distribution Websites

• hxxps://trynotion[.]org
• hxxps://notion.rtpcuan138[.]com
• hxxps://emobileo[.]com/Notion-x86.msix

Files

• d888a82701f47a2aa94dcddda392c07d (Dropper/APPX.LummaC2 2024.02.28.00) (Notion-x86.msix)
• 3cdc99c2649d1d95fe7768ccfd4f1dd5 (Downloader/PowerShell.Obfus 2024.02.28.00) (refresh.ps1)
• 8a3a10fcb3f67c01cd313a39ab360a80 (Trojan/Win.Generic.C5557471 2024.02.27.01) (dat1)

C2

• hxxps://ads-tooth[.]top/check.php (refresh.ps1)
• hxxps://fleetcontents[.]com/1.dat (check.php)
• hxxps://problemregardybuiwo[.]fun/api (LummaC2)
• hxxps://technologyenterdo[.]shop/api (LummaC2)
• hxxps://lighterepisodeheighte[.]fun/api (LummaC2)
• hxxps://detectordiscusser[.]shop/api (LummaC2)
• hxxps://edurestunningcrackyow[.]fun/api (LummaC2)
• hxxps://pooreveningfuseor[.]pw/api (LummaC2)
• hxxps://turkeyunlikelyofw[.]shop/api (LummaC2)
• hxxps://associationokeo[.]shop/api (LummaC2)