Threat actors are now employing WeTransfer to spread the Lampion malware in bigger quantities as part of their phishing efforts.

WeTransfer is a legitimate file-sharing site that is available for free, making it a cost-free technique to get around security software that might not alert users to the URLs used in emails.

In a recent operation that email security company Cofense has seen, administrators of Lampion are sending phishing emails from accounts that have been stolen. The recipients are directed to download a “Proof of Payment” document from WeTransfer.

Spam mail with link to a WeTransfer download
Spam mail with link to a WeTransfer download (Cofense)

The file targets receive is a ZIP containing a VBS the victim launch for the attack to commence.

The WScript produces four VBS files with arbitrary names when the script is run:

  • The first script is completely empty,
  • the second only has basic functionality,
  • and the third script serves simply to start the fourth script.

This is unclear, Cofense researchers noted that modular execution options are often favored for their adaptability and ease of file swaps.

The Script

The fourth script starts a new WScript process that connects to two hardcoded URLs and downloads two DLL files. These are concealed inside password-protected ZIP files. The URLs lead to instances of Amazon AWS.

The ZIP file password is hardcoded in the script, enabling the extraction of the archives without user input. When loaded into memory, the DLL payloads in the package enable Lampion to silently execute on compromised systems.

From there, Lampion starts stealing data from the computer, focusing on bank accounts through C2 injections. The overlaying of its own login forms on login pages. These bogus login forms will steal user information and send it to the attacker when users enter their login information.

Lampion revitalized

Since at least 2019, the Lampion trojan has been active, primarily targeting Spanish-speaking targets and hosting its harmful ZIPs on infected servers.

For the first time, Lampion started utilizing cloud services like Google Drive and pCloud to host the malware in 2021.

More recently, in March 2022, discovered a hostname link connecting Bazaar and LockBit operations to an increase in the trojan’s propagation.

Additionally, the creators of Lampion were constantly working to obfuscate their virus with additional layers and trash code.

According to Cofense’s most recent assessment, Lampion is an active and sneaky threat, and users should exercise caution. When responding to unsolicited emails that request that they download files—even from reliable cloud services.