A new observation in the cybersecurity landscape has been spotted, with threat actors abusing the WeTransfer file-sharing service to propagate the notorious Lampion malware in phishing campaigns.
With the WeTransfer platform being a free and easy-to-use file-sharing service, threat actors could easily spread malicious payloads while evading email security alerts. The new campaign involved the threat actors spreading the Lampion malware through phishing emails sent via previously compromised company accounts.
The emails’ content included urging receivers to download a “proof of payment” file from the file-sharing service WeTransfer.
Upon the targets opening the attached document, a ZIP archive will be downloaded, which holds a VBS file that would trigger the attack. The VBS file will initiate a WScript process, creating another set of VBS files.
As per the analysis of the four new VBS files, the first among them is empty, while the second has a minimal function in the process. The third one is what would execute the fourth script. A vital part of the attack process is linked to the fourth script since its series of procedures would eventually lead to the launch of the Lampion malware on the victim’s compromised system.
As the malware is executed, it will begin stealing critical information from the victim’s computer, mainly targeting banking accounts, making researchers believe that the campaign is financially motivated. Lampion also fetches injections from the operators’ C2 server and overlays fake login forms on banking platforms’ login pages. The entered credentials on the fake login pages will be sent to the C2 server to be collected by the hackers.
The Lampion malware was first detected in 2019, targeting Spanish-based victims through compromised servers to host malware-infected ZIP files. Its operators have also been exploiting cloud platforms, such as Google Drive and pCloud, to host malware.
As the rate of malware distribution increases for 2022, researchers identify some of them from the campaigns of Bazaar and LockBit threat groups. Although unknown, the operators of the Lampion malware could be considered sophisticated, as the payload becomes harder to analyse through upgrades.
Lampion remains an active threat to all targets; thus, people are warned not to download attachments from suspicious emails. Recognising a phishing email at first glance is vital to avoid being victimised.
