Warning, this WeTransfer link could be a phishing scam

If you receive an email from an unknown person, sharing a “Proof of Payment” document from WeTransfer, be careful as it is most likely malware.

Cofense cybersecurity researchers have found that threat actors are now distributing the Lampion malware this way in greater volume.

Lampion is a known trojan that is capable of stealing sensitive data, such as banking information, passwords, etc. It does this by overlaying known login forms onto its own, then sending the submitted data to its command and control servers.

Distribution of lanterns

What makes this campaign more dangerous than other similar campaigns is the use of WeTransfer. It is a legitimate file transfer service, which makes it extremely difficult for email security systems to flag it as malicious. Plus, it’s not the only legitimate service that scammers are abusing – they also leverage Amazon Web Services (AWS), and here’s how.

When a victim receives the email, and if they download the file, they get a ZIP archive with a virtual base script (VBS) inside. The script, if run, connects to an AWS instance and retrieves two DLL files, also in protected ZIP archives. These DLLs, when activated (which happens automatically and without any user interaction), are loaded into memory and allow Lampion to work.

Lampion is a well-known Trojan that has been in use since 2019. Starting out as malware first targeting the Spanish-speaking community, it has since gone global. This year, researchers said its distribution has accelerated, with some identifying a hostname link to Bazaar and LockBit.

Email remains one of the best ways to spread viruses, malware or ransomware, despite the fact that email protection tools have improved over the years. Today, threat actors can take advantage of a number of free cloud tools, such as hosting providers, calendar organizers, etc., to circumvent security measures and distribute malicious code at the terminals. (opens in a new tab) around the world.

Via: BleepingComputer (opens in a new tab)

Harry D. Gonzalez