Lampion malware operators use the free file-sharing platform WeTransfer to perform phishing attacks. This way, attackers can avoid security alerts since they are tricking users into downloading from a trustworthy service.
The malware has been around since at least 2019, is spread through emails containing a link that downloads a .zip file with malicious files in it. It’s a banking Trojan: criminals developed it to steal information related to banking portals from the victim’s devices or make fraudulent transactions.
How the Phishing Campaign Works
In this new campaign, Lampion sends phishing emails to WeTransfer users encouraging them to interact with a link in order to download a “Proof of Payment” document from the platform, as discovered by Cofense.
The attack begins once the user executes the script file, and a WScript process starts, which generates four additional VBS files with random names.
One of them can run the fourth script, starting yet another WScript process to retrieve DLL files stored in ZIP files with hardcoded passwords.
At last, Lampion is executed in stealth. The malware can start stealing data using techniques such as overlay attacks and injections on compromised systems.
- Use antivirus software and scan for threats.
- Keep sensitive data out of reach, and encrypt it where you can.
- Before clicking any link or downloading a file, ensure it is safe.