2 min Security

Lampion malware makes comeback in a spate of WeTransfer phishing attacks

Lampion malware makes comeback in a spate of WeTransfer phishing attacks

Lampion malware has been spreading in higher numbers as of late. Threat actors exploit WeTransfer as part of their phishing campaigns.

WeTransfer is a free, genuine file-sharing site. For some criminals, the solution provides a no-cost technique to get around security software that detects URLs in emails.

According to security company Cofense, Lampion malware operators are sending phishing emails using hacked business accounts, pushing consumers to download a ‘Proof of Payment’ file from WeTransfer. The file sent is a ZIP package containing a VBS (Virtual Basic script) that victims must run for the attack to commence.

How it compromises machines

When executed, the script starts a WScript process that generates four VBS files using random names. The first is blank, the second has little use and the third solely serves to run the fourth script.

It’s not entirely clear why the cybercriminals perform the additional step, but according to Cofense experts, modular execution options are often favored for their adaptability, allowing for quick file swaps.

The fourth script starts a new WScript process that links to two hardcoded URLs and obtains two DLL files hidden within password-protected ZIPs. The links go to Amazon AWS instances. The ZIP file passwords are hardcoded in the script, allowing the archives to be extracted without user intervention.

Users should beware of unsolicited emails

Lampion can run discreetly on compromised systems since the DLL payloads are injected into memory. The malware starts stealing data on the machine, pursuing bank accounts by retrieving injections from the C2 and layering its login forms on login sites.

When users submit their credentials, bogus login forms are stolen and transmitted to the hacker. The Lampion malware has been active since at least 2019, mainly targeting Spanish-speaking targets and hosting malicious ZIP files on hacked sites.

According to Cofense’s recent analysis, Lampion is an active and sneaky danger, and users should be wary of unsolicited emails requesting file downloads, even from respectable cloud providers.

Tip: AI advances cybersecurity, but also offers hackers opportunities