An MSIX malware disguised as the Notion installer is being distributed. The distribution website looks similar to that of the actual Notion homepage.
正在分发伪装成 Notion 安装程序的 MSIX 恶意软件。分发网站看起来与实际的 Notion 主页相似。
Figure 1. Website that distributes malware
图 1.传播恶意软件的网站
The user gets a file named “Notion-x86.msix” upon clicking the download button. This file is Windows app installer, and it is signed with a valid certificate.
用户在单击下载按钮时会收到一个名为“Notion-x86.msix”的文件。此文件是 Windows 应用安装程序,并使用有效证书进行签名。
Figure 2. The signature information of the malicious installer
图2.恶意安装程序的签名信息
The user gets the following pop-up upon running the file. Upon clicking the Install button, Notion is installed on the PC and is infected with malware.
用户在运行文件时会收到以下弹出窗口。单击“安装”按钮后,Notion 安装在 PC 上并感染了恶意软件。
Figure 3. Installation process of the malicious installer
图3.恶意安装程序的安装过程
Upon installing, StartingScriptWrapper.ps1 and refresh.ps1 files are created inside the application’s path. The StartingScriptWrapper.ps1 file is a legitimate file that contains the MS signature with a feature of executing the Powershell script given as an argument. This file allows the config.json configuration file inside the package to be read during the installation process. It then allows the execution of a certain Powershell script. The package’s config.json is configured to run refresh.ps1 as shown below:
安装后,将在应用程序的路径中创建 StartingScriptWrapper.ps1 和 refresh.ps1 文件。StartingScriptWrapper.ps1 文件是一个合法文件,其中包含 MS 签名,具有执行作为参数提供的 Powershell 脚本的功能。此文件允许在安装过程中读取包内的config.json配置文件。然后,它允许执行某个 Powershell 脚本。包的config.json配置为运行 refresh.ps1,如下所示:
Figure 4. config.json’s file content
图4.config.json的文件内容
The file that is run during this process (refresh.ps1) is the actual malware, and it performs the feature of downloading commands from C2 and running them.
在此过程中运行的文件 (refresh.ps1) 是实际的恶意软件,它执行从 C2 下载命令并运行它们的功能。
The refresh.ps1 file is obfuscated using blank characters, and the string is completed by adding an integer to each variable consisting of blanks and adding or multiplying them. The obfuscated script consists of 8,663 characters, but the string executed at the end is a 200-character long command.
refresh.ps1 文件使用空字符进行模糊处理,并通过向每个由空格组成的变量添加一个整数并将它们相加或相乘来完成字符串。经过模糊处理的脚本由 8,663 个字符组成,但末尾执行的字符串是一个 200 个字符长的命令。
Figure 5. refresh.ps1’s file content
图5.refresh.ps1 的文件内容
Figure 6. Unobfuscation of refresh.ps1
图6.refresh.ps1 的取消混淆
This command downloads additional Powershell commands from the C2 server and executes them. The C2 server is currently not responding properly, but the analysis team confirmed the distribution of LummaC2 malware during the initial analysis.
此命令从 C2 服务器下载其他 Powershell 命令并执行它们。C2 服务器当前无法正常响应,但分析团队在初始分析期间确认了 LummaC2 恶意软件的分布。
Additionally, the in-house logs revealed that the hxxps://fleetcontents.com/1.dat file was downloaded and run inside PowerShell.exe. Given the information, this C2 likely responded to the command to download and load 1.dat from other C2.
此外,内部日志显示,hxxps://fleetcontents.com/1.dat 文件已下载并在PowerShell.exe内运行。根据这些信息,此 C2 可能响应了从其他 C2 下载和加载1.dat的命令。
1.dat is a .NET EXE file that uses the process hollowing technique to inject LummaC2 into RegAsm.exe and run it.
1.dat 是一个 .NET EXE 文件,它使用进程挖空技术将 LummaC2 注入RegAsm.exe并运行它。
The process tree of the malicious behavior is as follows. As it is executed via Windows Installer, the behavior begins from the relevant service host.
恶意行为的进程树如下。当它通过 Windows Installer 执行时,该行为从相关的服务主机开始。
Figure 7. The process tree
图7.进程树
LummaC2 is an Infostealer that can steal data such as the browser information, cryptocurrency information, and files. For information about LummaC2, check the following blog article.
LummaC2 是一种信息窃取程序,可以窃取浏览器信息、加密货币信息和文件等数据。有关 LummaC2 的信息,请查看以下博客文章。
Before running the files, users should check whether the files are from the domains of official websites and check the signature author even when the files are signed with legitimate certificates. And extra caution is advised when executing MSIX files, because multiple malicious variations take disguise of not only Notion, but also applications such as Slack, WinRar, and Bandicam.
在运行文件之前,用户应检查文件是否来自官方网站的域,即使文件是使用合法证书签名的,也应检查签名作者。在执行 MSIX 文件时,建议格外小心,因为多个恶意变体不仅会伪装 Notion,还会伪装 Slack、WinRar 和 Bandicam 等应用程序。
[IOC Information] [国际奥委会信息]
Distribution Websites 分销网站
- hxxps://trynotion[.]org
- hxxps://notion.rtpcuan138[.]com
- hxxps://emobileo[.]com/Notion-x86.msix
Files 文件
- d888a82701f47a2aa94dcddda392c07d (Dropper/APPX.LummaC2 2024.02.28.00) (Notion-x86.msix)
d888a82701f47a2aa94dcddda392c07d(滴管/APPX.LummaC2 2024.02.28.00) (概念-x86.msix) - 3cdc99c2649d1d95fe7768ccfd4f1dd5 (Downloader/PowerShell.Obfus 2024.02.28.00) (refresh.ps1)
3cdc99c2649d1d95fe7768ccfd4f1dd5 (下载器/PowerShell.Obfus 2024.02.28.00) (刷新.ps1) - 8a3a10fcb3f67c01cd313a39ab360a80 (Trojan/Win.Generic.C5557471 2024.02.27.01) (dat1)
8a3a10fcb3f67c01cd313a39ab360a80 (Trojan/Win.Generic.C5557471 2024.02.27.01) (dat1)
C2
- hxxps://ads-tooth[.]top/check.php (refresh.ps1)
hxxps://ads-tooth[.]顶部/check.php (刷新.ps1) - hxxps://fleetcontents[.]com/1.dat (check.php)
hxxps://fleetcontents[.]com/1.dat (check.php) - hxxps://problemregardybuiwo[.]fun/api (LummaC2)
hxxps://problemregardybuiwo[.]fun/api (LummaC2) - hxxps://technologyenterdo[.]shop/api (LummaC2)
hxxps://technologyenterdo[.]商店/api (LummaC2) - hxxps://lighterepisodeheighte[.]fun/api (LummaC2)
hxxps://lighterepisodeheighte[.]fun/api (LummaC2) - hxxps://detectordiscusser[.]shop/api (LummaC2)
hxxps://detectordiscusser[.]商店/api (LummaC2) - hxxps://edurestunningcrackyow[.]fun/api (LummaC2)
hxxps://edurestunningcrackyow[.]fun/api (LummaC2) - hxxps://pooreveningfuseor[.]pw/api (LummaC2)
hxxps://pooreveningfuseor[.]pw/api (LummaC2) - hxxps://turkeyunlikelyofw[.]shop/api (LummaC2)
hxxps://turkeyunlikelyofw[.]商店/api (LummaC2) - hxxps://associationokeo[.]shop/api (LummaC2)
hxxps://associationokeo[.]商店/api (LummaC2)
原文始发于ASEC:Distribution of MSIX Malware Disguised as Notion Installer
转载请注明:Distribution of MSIX Malware Disguised as Notion Installer | CTF导航
相关文章
