Lampion malware returns in phishing attacks abusing WeTransfer

The Lampion malware is being distributed in greater volumes lately, with threat actors abusing WeTransfer as part of their phishing campaigns.

WeTransfer is a legitimate file-sharing service that can be used free of charge, so it's a no-cost way to bypass security software that may not raise alerts about the URLs used in emails.

In a new campaign observed by email security firm Cofense, Lampion operators are sending phishing emails from compromised company accounts urging users to download a "Proof of Payment" document from WeTransfer.

The file the targets receive is a ZIP archive containing a VBS (Virtual Basic script) file the victim needs to launch for the attack to begin.

Upon execution, the script initiates a WScript process that creates four VBS files with random naming. The first one is empty, the second has minimal functionality, and the third's only purpose is to launch the fourth script.

Cofense analysts comment that this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps.

The fourth script launches a new WScript process that connects to two hardcoded URLs to fetch two DLL files hiding inside password-protected ZIPs. The URLs point to Amazon AWS instances.

The password for the ZIP files is hardcoded in the script, so the archives are extracted without requiring user interaction. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems.

From there, Lampion begins stealing data from the computer, targeting bank accounts by fetching injections from the C2 and overlaying its own login forms on login pages. When users enter their credentials, these fake login forms will be stolen and sent to the attacker.

Lampion revitalized

The Lampion trojan has been around since at least 2019, focusing mainly on Spanish-speaking targets and using compromised servers to host its malicious ZIPs.

In 2021, Lampion was seen abusing cloud services for hosting the malware for the first time, including Google Drive and pCloud.

More recently, in March 2022, Cyware reported an uptick in the trojan's distribution, identifying a hostname link to Bazaar and LockBit operations.

Cyware also reported that Lampion's authors were actively trying to make their malware harder to analyze by adding more obfuscation layers and junk code.

Cofense's latest report indicates that Lampion is an active and stealthy threat, and users should be cautious with unsolicited emails asking them to download files, even from legitimate cloud services.