Watch out – that WeTransfer link could be a phishing scam

If you get an email from an unknown person, sharing a “Proof of Payment” document from WeTransfer, be careful as it’s most likely malware

Cybersecurity researchers from Cofense have found threat actors are now distributing the Lampion malware this way in greater volume. 

Lampion is a known trojan, capable of stealing sensitive data, such as banking information, passwords, and similar. It does so by overlaying known login forms with its own, and then sending out the submitted data to its command & control servers. 

Lampion distribution

What makes this campaign more dangerous than other, similar campaigns, is the use of WeTransfer. This is a legitimate file transfer service, making it extremely difficult for email security systems to flag it as malicious. What’s more, this is not the only legitimate service the crooks are abusing – they’re also leveraging Amazon Web Services (AWS), and here’s how.

When a victim receives the email, and if they download the file, they’ll get a ZIP archive with a Virtual Basic Script (VBS) inside. The script, if run, connects to an AWS instance, and grabs two DLL files, also in protected ZIP archives. These DLLs, when activated (which is done automatically and with no user interaction whatsoever), are loaded into memory and allow Lampion to operate. 

Lampion is a known trojan, that’s been used since 2019 Starting as malware targeting the Spanish-speaking community first, it has since gone international. This year, researchers said its distribution picked up pace, with some identifying a hostname link to Bazaar and LockBit. 

Email is still one of the best ways to distribute viruses, malware, or ransomware, despite the fact that email protection tools have gotten better over the years. Today, threat actors can leverage a number of free cloud tools, such as hosting providers, calendar organizers, and similar, to bypass security measures and distribute malicious code to endpoints around the world. 

These are the best firewalls right now

Via: BleepingComputer

Related posts

Leave a Comment