Jump to content
  • Lampion malware returns in phishing attacks abusing WeTransfer

    alf9872000

    • 355 views
    • 3 minutes
     Share


    • 355 views
    • 3 minutes

    The Lampion malware is being distributed in greater volumes lately, with threat actors abusing WeTransfer as part of their phishing campaigns.

     

    WeTransfer is a legitimate file-sharing service that can be used free of charge, so it's a no-cost way to bypass security software that may not raise alerts about the URLs used in emails.

     

    In a new campaign observed by email security firm Cofense, Lampion operators are sending phishing emails from compromised company accounts urging users to download a "Proof of Payment" document from WeTransfer.

     

    spam-mail(1).png
    Spam mail with link to a WeTransfer download (Cofense)
     

    The file the targets receive is a ZIP archive containing a VBS (Virtual Basic script) file the victim needs to launch for the attack to begin.

     

    zip-contents(1).png
    Contents of the malicious ZIP file (Cofense)
     

    Upon execution, the script initiates a WScript process that creates four VBS files with random naming. The first one is empty, the second has minimal functionality, and the third's only purpose is to launch the fourth script.

     

    Cofense analysts comment that this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps.

     

    The fourth script launches a new WScript process that connects to two hardcoded URLs to fetch two DLL files hiding inside password-protected ZIPs. The URLs point to Amazon AWS instances.

     

    hardcoded-urls.png
    URLs hosting the DLL payloads (Cofense)
     

    The password for the ZIP files is hardcoded in the script, so the archives are extracted without requiring user interaction. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems.

     

    From there, Lampion begins stealing data from the computer, targeting bank accounts by fetching injections from the C2 and overlaying its own login forms on login pages. When users enter their credentials, these fake login forms will be stolen and sent to the attacker.

    Lampion revitalized

    The Lampion trojan has been around since at least 2019, focusing mainly on Spanish-speaking targets and using compromised servers to host its malicious ZIPs.

     

    In 2021, Lampion was seen abusing cloud services for hosting the malware for the first time, including Google Drive and pCloud.

     

    More recently, in March 2022, Cyware reported an uptick in the trojan's distribution, identifying a hostname link to Bazaar and LockBit operations.

     

    Cyware also reported that Lampion's authors were actively trying to make their malware harder to analyze by adding more obfuscation layers and junk code.

     

    Cofense's latest report indicates that Lampion is an active and stealthy threat, and users should be cautious with unsolicited emails asking them to download files, even from legitimate cloud services.

     

    Source: Bleeping Computer

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...