Keypoints
- Threat actors distribute a malicious Notion-x86.msix from spoofed websites that mimic the official Notion homepage.
- The MSIX is signed with a valid certificate, increasing user trust despite being malicious.
- Installation drops StartingScriptWrapper.ps1 and refresh.ps1; config.json configures the package to execute refresh.ps1 during install.
- refresh.ps1 is heavily obfuscated (uses blank-character variables and arithmetic) to reconstruct a ~200-character PowerShell command that fetches additional instructions from C2.
- The installer downloads 1.dat (a .NET EXE) which uses process hollowing to inject LummaC2 into RegAsm.exe and execute it.
- LummaC2 acts as an infostealer, capable of exfiltrating browser, cryptocurrency, and file data; multiple C2 domains are used for command retrieval and payload hosting.
- Defensive guidance: verify download domains and publisher signatures before running MSIX files; similar disguises have been used for other apps (Slack, WinRar, Bandicam).
MITRE Techniques
- [T1553.002] Code Signing – The malicious MSIX is presented as legitimately signed: (‘it is signed with a valid certificate.’)
- [T1204.002] User Execution: Malicious File – Installation requires user action to run the downloaded MSIX and click Install: (‘Upon clicking the download button… The user gets a file named ‘Notion-x86.msix’… Upon running the file… clicking the Install button, Notion is installed on the PC and is infected with malware.’)
- [T1036] Masquerading – The distribution site and installer impersonate the Notion application and homepage: (‘disguised as the Notion installer… The distribution website looks similar to that of the actual Notion homepage.’)
- [T1059.001] PowerShell – The package uses legitimate script wrappers and executes a PowerShell payload (refresh.ps1): (‘StartingScriptWrapper.ps1 … feature of executing the Powershell script given as an argument’ and ‘refresh.ps1 file… performs the feature of downloading commands from C2 and running them.’)
- [T1027] Obfuscated Files or Information – refresh.ps1 is obfuscated using blank characters and arithmetic to reconstruct the command: (‘obfuscated using blank characters, and the string is completed by adding an integer to each variable consisting of blanks and adding or multiplying them.’)
- [T1105] Ingress Tool Transfer – The attack fetches additional payloads from remote servers, e.g., downloading 1.dat from fleetcontents.com: (‘the hxxps://fleetcontents.com/1.dat file was downloaded and run inside PowerShell.exe.’)
- [T1055.012] Process Hollowing – 1.dat (a .NET EXE) uses process hollowing to inject LummaC2 into RegAsm.exe and run it: (‘uses the process hollowing technique to inject LummaC2 into RegAsm.exe and run it.’)
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication and command retrieval occur over HTTP(S) endpoints (e.g., ads-tooth.top/check.php and multiple /api endpoints): (‘downloads additional Powershell commands from the C2 server and executes them.’)
Indicators of Compromise
- [Distribution Websites] Malicious download hosts – hxxps://trynotion[.]org, hxxps://notion.rtpcuan138[.]com, and other 1 item
- [Files / Filenames] Dropped or executed files – Notion-x86.msix, refresh.ps1, and 1.dat
- [File hashes] Known malicious hashes – d888a82701f47a2aa94dcddda392c07d (Notion-x86.msix), 3cdc99c2649d1d95fe7768ccfd4f1dd5 (refresh.ps1), and 1 more hash
- [C2 URLs] Command-and-control and payload hosts – hxxps://ads-tooth[.]top/check.php, hxxps://fleetcontents[.]com/1.dat, and other 8 api endpoints (e.g., problemregardybuiwo[.]fun/api)
When the malicious MSIX installer is run, Windows Installer launches the package which contains StartingScriptWrapper.ps1 and a config.json that instructs the wrapper to execute refresh.ps1. refresh.ps1 is an obfuscated PowerShell script (constructed from many blank-character variables and arithmetic) that assembles and runs a roughly 200-character command; that command reaches out to attacker-controlled C2 servers to fetch further instructions and payloads.
The fetched payload 1.dat is a .NET executable that is executed via PowerShell; it performs process hollowing to inject the LummaC2 loader into RegAsm.exe and execute it under that host process. LummaC2 then communicates with multiple /api C2 endpoints over HTTP(S) to receive commands and exfiltrate data (browser, cryptocurrency info, files), completing the infection chain that began with the signed MSIX masquerading as Notion.
Defensive steps include validating download domains against official sites, checking signer identity even for signed installers, and treating unexpected MSIX files with caution—particularly given similar impersonation tactics against other apps (Slack, WinRar, Bandicam).
Read more: https://asec.ahnlab.com/en/62815/