Since at least 2019, the Lampion trojan has been active, primarily targeting Spanish-speaking targets and hosting its malicious ZIPs on infected servers.
Most recently, threat actors have started employing WeTransfer as part of their phishing attempts to spread the Lampion malware in greater numbers. WeTransfer, a legitimate file-sharing service, can be used for free to bypass security software that may not raise alarms about URLs in emails.
Phishing emails are being sent through compromised corporate accounts by Lampion operators, pushing customers to download a “Proof of Payment” document from WeTransfer. – recent campaign observed by Cofense.
Malicious ZIP file – Cofense: source
The file sent to the targets is a ZIP archive containing a Virtual Basic script file that the victim must run in order for the attack to commence.
When the script is run, a WScript process starts that generates four VBS files with arbitrary names. The first script is completely empty, the second only has basic functionality, and the third script serves simply to start the fourth script.
The ZIP file password is hardcoded in the script. Lampion can be run discreetly on compromised systems since the DLL payloads are loaded into memory.
Lampion steals data from computers by retrieving injections from the C2 and overlaying its own login forms on login sites. These fake login forms are stolen and transmitted to the attacker when users submit their credentials.
According to Cofense’s recent analysis, Users should be wary of unsolicited emails requesting file downloads, even from reputable cloud services.