Counterfeit Notion website distributes malware to harvest user data

Counterfeit Notion website distributes malware to harvest user data
Screen capture of phishing website of Notion. Source: AhnLab

By Chanwoo Yong, The Readable
Mar. 5, 2024 8:30PM GMT+9

A counterfeit installer for Notion, a popular collaboration platform boasting over 30 million users globally, has been identified. This fraudulent installer is designed to disseminate malware with the intent of stealing personal data, including cryptocurrency details.

On February 27, AhnLab, a cybersecurity firm based in South Korea, identified phishing pages that were distributing malicious files. Two days following their discovery, AhnLab announced that the malware was being spread via three websites, which bear a striking resemblance to the official Notion website.

When a user clicks the download button on a counterfeit website, a file labeled “Notion-x86.msix” is downloaded to their device. During installation, this file executes a malicious script designed to activate code that pilfers private information from the victim’s computer. This can include details from cryptocurrency wallet applications, screenshots, browser data, and information about other installed software. To evade detection and reduce suspicion, the attackers employ a two-pronged strategy: they attach a valid digital signature to the downloaded file and simultaneously install the legitimate Notion application alongside the malware.

In an interview with The Readable, AhnLab disclosed that it was unable to determine the origin of these counterfeit websites. However, the company noted a significant detail: the name of the malicious file being distributed matches that of a file discovered in March of the previous year. Based on this similarity, AhnLab suggested the possibility that the same cyberattack group identified earlier might be responsible. This group had previously utilized the malicious file named “LummaC2,” which they distributed through counterfeit crack installers that masqueraded as legitimate software.

Furthermore, reports have emerged indicating that additional malicious files are impersonating well-known software applications, including Slack, WinRar, and Bandicam. These applications, which offer business messaging, file compression, and screen recording functionalities, respectively, have a vast user base worldwide. AhnLab has emphasized the importance of downloading files exclusively from official websites and ensuring that the publisher’s signature matches the official source, even if the signature initially seems legitimate. Particularly, the cybersecurity firm has recommended heightened vigilance with files ending in “msix,” signaling a potential risk.

This article was edited by Dain Oh and copyedited by Arthur Gregory Willers.

Chanwoo Yong is a reporting intern for The Readable. Majoring in cybersecurity at Korea University, Yong has an intense interest in cybercrime and cybercriminals as well as a passion for making cybersecurity and its surrounding issues understandable to the general reader. Yong aspires to become a bridge between cybersecurity experts and the public by translating the experts’ language into layman’s terms the public can understand. Yong has worked as a data engineer for an AI Platform belonging to Korea University Anam Hospital, where he participated in research titled “Deep Learning-Based Prediction Model for Gait Recovery after Spinal Cord Injury.”