Daily Tech News, Interviews, Reviews and Updates

Lampion malware spreading in greater numbers, using WeTransfer as part of their phishing campaigns

Lampion malware has been spreading in greater numbers recently, with threat actors using WeTransfer as part of their phishing campaigns. WeTransfer is a legitimate file-sharing service that is free to use, so it’s a no-cost way to get around security software that may not detect URLs in emails. According to Cofense, Lampion operators are sending phishing emails from compromised company accounts, urging users to download a “Proof of Payment” document from WeTransfer.

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the victim must run in order for the attack to begin. When run, the script starts a WScript process that generates four VBS files with random names. The first is empty, the second has limited functionality, and the third serves only to launch the fourth script.

This extra step is unclear, according to Cofense analysts, but modular execution approaches are typically preferred for their versatility, allowing for easy file swaps. The fourth script starts a new WScript process that connects to two hardcoded URLs to retrieve two DLL files that are hidden inside password-protected ZIPs. The links lead to Amazon AWS instances.

The ZIP file password is hardcoded in the script, so the archives are extracted without user interaction. Lampion can be executed stealthily on compromised systems because the DLL payloads are loaded into memory.

Lampion then starts stealing data from the computer, specifically targeting bank accounts by retrieving injections from the C2 and overlaying its own login forms on login pages. These fake login forms are stolen and sent to the attacker when users enter their credentials.

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking targets and hosting malicious ZIP files on compromised servers. Lampion was first seen using cloud services to host malware in 2021, including Google Drive and pCloud. Cyware recently reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

According to Cyware, Lampion’s authors were actively attempting to make their malware more difficult to analyze by adding more obfuscation layers and junk code. According to Cofense’s latest report, Lampion is an active and stealthy threat, and users should be wary of unsolicited emails requesting file downloads, even from legitimate cloud services.

 

Get real time updates directly on you device, subscribe now.



You might also like