If you receive an email from an unknown person sharing a WeTransfer “Proof of Payment” document, be careful as it is most likely malware.
Cybersecurity researchers at Cofense have discovered that threat actors are now spreading the Lampion malware in larger quantities in this way.
Lampion is a well-known trojan that can steal sensitive data such as banking information, passwords, and the like. It does this by overlaying known login forms with its own forms and then sending the submitted data to its command & control servers.
What makes this campaign more dangerous than other similar campaigns is the use of WeTransfer. This is a legitimate file transfer service, which makes it extremely difficult for email security systems to mark it as malicious. Moreover, this is not the only legitimate service that the crooks exploit – they also use Amazon Web Services (AWS), and here’s how.
When a victim receives the email, and when they download the file, they get a ZIP archive with a Virtual Basic Script (VBS) in it. The script, when executed, connects to an AWS instance and packs two DLL files, also in secure ZIP archives. When these DLLs are activated (which happens automatically and without any user interaction), they are loaded into memory and Lampion can work.
Lampion is a well-known trojan that has been used since 2019. Starting out as malware that first targeted the Hispanic community, it has since gone international. This year, researchers said its distribution accelerated, with some identifying a hostname link to Bazaar and LockBit.
Email is still one of the best ways to spread viruses, malware or ransomware, despite the fact that email security tools have gotten better over the years. Today, threat actors can use a number of free cloud tools, such as hosting providers, calendar organizers, and the like, to bypass security measures and spread malicious code to endpoints (opens in new tab) around the world.
Through: BleepingComputer (opens in new tab)