Daily Tech News, Interviews, Reviews and Updates

Lampion malware spreading in greater numbers, using WeTransfer as part of their phishing campaigns

Security
By Anusha Sawhney

Lampion malware has been spreading in greater numbers recently, with threat actors using WeTransfer as part of their phishing campaigns. WeTransfer is a legitimate file-sharing service that is free to use, so it’s a no-cost way to get around security software that may not detect URLs in emails. According to Cofense, Lampion operators are sending phishing emails from compromised company accounts, urging users to download a “Proof of Payment” document from WeTransfer.

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the victim must run in order for the attack to begin. When run, the script starts a WScript process that generates four VBS files with random names. The first is empty, the second has limited functionality, and the third serves only to launch the fourth script.

This extra step is unclear, according to Cofense analysts, but modular execution approaches are typically preferred for their versatility, allowing for easy file swaps. The fourth script starts a new WScript process that connects to two hardcoded URLs to retrieve two DLL files that are hidden inside password-protected ZIPs. The links lead to Amazon AWS instances.

The ZIP file password is hardcoded in the script, so the archives are extracted without user interaction. Lampion can be executed stealthily on compromised systems because the DLL payloads are loaded into memory.

Lampion then starts stealing data from the computer, specifically targeting bank accounts by retrieving injections from the C2 and overlaying its own login forms on login pages. These fake login forms are stolen and sent to the attacker when users enter their credentials.

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking targets and hosting malicious ZIP files on compromised servers. Lampion was first seen using cloud services to host malware in 2021, including Google Drive and pCloud. Cyware recently reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

According to Cyware, Lampion’s authors were actively attempting to make their malware more difficult to analyze by adding more obfuscation layers and junk code. According to Cofense’s latest report, Lampion is an active and stealthy threat, and users should be wary of unsolicited emails requesting file downloads, even from legitimate cloud services.

 

Readers like you help support The Tech Outlook. When you make a purchase using links on our site, we may earn an affiliate commission. We cannot guarantee the Product information shown is 100% accurate and we advise you to check the product listing on the original manufacturer website. Thetechoutlook is not responsible for price changes carried out by retailers. The discounted price or deal mentioned in this item was available at the time of writing and may be subject to time restrictions and/or limited unit availability. Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates Read More
Anusha Sawhney 214 posts

She is currently pursuing Bachelor of Journalism and Mass Communication from Vivekananda Institute of Professional Studies.
She is a passionate dancer and a part of the 3.14 Dance crew. She is an inquisitive student searching to work in a competitive environment
which can help gain knowledge, and experience and develop new skills.

You might also like
Security

[Update- resolved]Motorola’s X Handle Falls Victim to Crypto Phishing Scam

Apps

Google Officially Rolls Out New Safety Features In Chrome

Security

macOS Security at Risk: Cthulhu Stealer Malware Targets Apple Users

Crypto

McDonald’s Instagram Account hacked, resulting in a $7,00,000 Cryptocurrency Scam

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More