Distribution of SectopRAT (ArechClient2) Disguised as Notion Installer
Notion is a collaboration tool providing features to manage projects and record them, used by many worldwide. Such popular programs may become targeted by threat actors since attackers can create web pages uploaded with malware strains that pretend to offer legitimate programs.
Users may end up downloading malware when they search for the programs they want in search engines such as Google. In fact, AhnLab SEcurity intelligence Center (ASEC) once introduced a case of LummaC2 being distributed while disguised as Notion in the blog post “Distribution of MSIX Malware Disguised as Notion Installer.”
1. Disguised as Notion Installer
ASEC recently discovered another attack case disguised as providing Notion. In the confirmed case, there was SectopRAT along with LummaC2. Upon accessing “hxxps://notlon[.]be/Notion 4.3.4.exe” (currently unavailable), users would download the malware. At first glance, it seems the URL address contains the string “notion”. Yet the threat actor used “l” instead of “i” to dupe the users into thinking they accessed a legitimate Notion web page.
Besides Notion, the malware includes a DLL with a downloader feature. When the installer is executed, the malicious DLL is installed along with other files to be loaded on the installer and executed. The DLL file then connects to the C&C server and downloads additional payloads.
Figure 1. DLL acting as a downloader
The malware strains installed through this process are mainly named “decrypted.exe”, mostly consisting of the Infostealer malware LummaC2. A recent case, however, had SectopRAT installed instead of LummaC2.
Figure 2. Process tree
2. SectopRAT
Also called ArechClient2, SectopRAT is a RAT malware strain that can perform malicious behaviors by receiving commands from the C2 server and exfiltrating information from the infected system.
Figure 3. SectopRAT’s configuration data
One characteristic of SectopRAT is that it has a similar routine to that of RedLine. As an Infostealer, RedLine steals various types of information about web browsers, FTP, VPN, Telegram, Discord, captured screenshots, files from the infected system, etc. It can also execute commands sent from the C&C server. The similarities indicate that SectopRAT and RedLine are essentially not much different, using the same code.
Figure 4. A routine similar to that of RedLine
SectopRAT can also exfiltrate passwords, cookies, and auto-filled data saved in web browsers, meaning it can target cryptocurrency wallet files. The malware can also communicate with the C&C server to execute commands it receives.
Figure 5. Communicating with the C&C server
3. Conclusion
There are now more cases of malware distribution disguised as popular software such as Notion. Threat actors can install malware stains equipped with exfiltration and remote control features to steal information and gain control of the infected system. Users should check if the web page is an official and legitimate homepage when searching programs via search engines. Also, V3 should be updated to the latest version so that malware infection can be prevented.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
