If you receive an email from an unknown person sharing WeTransfer’s “Proof of Payment” document, be careful as it is likely malware.
Cybersecurity researchers at Cofense found that threat actors are now mass disseminating the Lampion malware in this fashion.
Lampion is a known Trojan capable of stealing sensitive data such as banking information, passwords, and more. It does this by overwriting the known login form with its own, then sending the submitted data to its command and control server.
Lampion distribution
What makes this activity more dangerous than others like it is the use of WeTransfer. It’s a legitimate file transfer service, so it’s hard for email security systems to flag it as malicious. What’s more, this isn’t the only legitimate service that scammers abuse — they’re also taking advantage of Amazon Web Services (AWS), and here’s how.
When victims receive the email, if they download the file, they get a ZIP archive containing a Virtual Basic Script (VBS). If you run the script, it will connect to the AWS instance and grab the two DLL files, which are also in the protected ZIP archive. These DLLs are loaded into memory when activated (automatically and without any user interaction) and allow Lampion to run.
Lampion is a known Trojan horse that has been in use since 2019, initially as malware targeting the Spanish-speaking community, and has since gone international. This year, researchers say its distribution has accelerated, some of whom found hostname links to Bazaar and LockBit.
Although email protection tools have gotten better over the years, email is still one of the best ways to spread viruses, malware or ransomware.Today, threat actors can leverage many free cloud tools (e.g. hosting providers, calendar organizers, etc.) to bypass security measures and distribute malicious code to endpoints (opens in new tab) all around the world.
pass: Bilibili computer (opens in new tab)