A counterfeit installer for Notion, a popular collaboration platform boasting over 30 million users globally, has been identified. This fraudulent installer is designed to disseminate malware with the intent of stealing personal data, including cryptocurrency details.
On February 27, AhnLab, a cybersecurity firm based in South Korea, identified phishing pages that were distributing malicious files. Two days following their discovery, AhnLab announced that the malware was being spread via three websites, which bear a striking resemblance to the official Notion website.
When a user clicks the download button on a counterfeit website, a file labeled “Notion-x86.msix” is downloaded to their device. During installation, this file executes a malicious script designed to activate code that pilfers private information from the victim’s computer. This can include details from cryptocurrency wallet applications, screenshots, browser data, and information about other installed software. To evade detection and reduce suspicion, the attackers employ a two-pronged strategy: they attach a valid digital signature to the downloaded file and simultaneously install the legitimate Notion application alongside the malware.
In an interview with The Readable, AhnLab disclosed that it was unable to determine the origin of these counterfeit websites. However, the company noted a significant detail: the name of the malicious file being distributed matches that of a file discovered in March of the previous year. Based on this similarity, AhnLab suggested the possibility that the same cyberattack group identified earlier might be responsible. This group had previously utilized the malicious file named “LummaC2,” which they distributed through counterfeit crack installers that masqueraded as legitimate software.
Furthermore, reports have emerged indicating that additional malicious files are impersonating well-known software applications, including Slack, WinRar, and Bandicam. These applications, which offer business messaging, file compression, and screen recording functionalities, respectively, have a vast user base worldwide. AhnLab has emphasized the importance of downloading files exclusively from official websites and ensuring that the publisher’s signature matches the official source, even if the signature initially seems legitimate. Particularly, the cybersecurity firm has recommended heightened vigilance with files ending in “msix,” signaling a potential risk.
