In a new phishing campaign unearthed by Cofense researchers, the Lampion malware is being distributed massively, with hackers exploiting WeTransfer as part of their campaign.
WeTransfer is an internet-based computer file transfer service that can be utilized free of cost, hence it's a no-cost way to circumvent security software that may not detect URLs in emails.
The malware authors are sending phishing emails from exploited firm accounts requesting customers to download a "Proof of Payment" document from WeTransfer.
The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the user must open in order for the attack to begin. Upon clicking on the file, the script launches a WScript process that manufactures four VBS files with random names. The first is empty, the second has limited functionality, and the third's sole motive is to launch the fourth script.
According to Cofense researchers, this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps.
The fourth script initiates a new WScript process that links to two hardcoded URLs to retrieve two DLL files concealed inside password-protected ZIPs. The malicious links lead to Amazon AWS instances.
The ZIP file password is concealed in the script, so the archives are extracted without user communication. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems.
Subsequently, the malware initiates extracting data from the computer, and bank accounts, and overlaying its own login forms on login pages. These fake bogus forms are stolen and sent to the hacker when users enter their credentials.
The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users and employing exploited servers to deploy its malicious ZIPs.
Last year, the malware was identified exploiting cloud services for hosting the malware for the first time, including Google Drive and pCloud. Recently, in March 2022, Cyware reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.
Prevention Tips
Researchers advised users to apply the following mitigations to defend against malware attacks:
- Update software, including operating systems, applications, and firmware frequently
- Install OS patches when they are available
- Enforce MFA to the greatest extent possible
- If you use RDP and/or other potentially risky services, secure and monitor them closely
- Employ cryptographic vaults for data safety
