March 22, 2024
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]
Rewterz Threat Alert – Ryuk Ransomware – Active IOCs
September 11, 2022
Rewterz Threat Advisory – CVE-2022-2964 – Linux Kernel Vulnerability
September 12, 2022
Rewterz Threat Alert – Ryuk Ransomware – Active IOCs
September 11, 2022
Rewterz Threat Advisory – CVE-2022-2964 – Linux Kernel Vulnerability
September 12, 2022
Severity
High
Analysis Summary
Since at least 2019, the Lampion trojan has been active, primarily targeting Spanish-speaking targets and hosting its malicious ZIPs on infected servers.
Most recently, threat actors have started employing WeTransfer as part of their phishing attempts to spread the Lampion malware in greater numbers. WeTransfer, a legitimate file-sharing service, can be used for free to bypass security software that may not raise alarms about URLs in emails.
Phishing emails are being sent through compromised corporate accounts by Lampion operators, pushing customers to download a “Proof of Payment” document from WeTransfer. – recent campaign observed by Cofense.
Malicious ZIP file – Cofense: source
The file sent to the targets is a ZIP archive containing a Virtual Basic script file that the victim must run in order for the attack to commence.
When the script is run, a WScript process starts that generates four VBS files with arbitrary names. The first script is completely empty, the second only has basic functionality, and the third script serves simply to start the fourth script.
The ZIP file password is hardcoded in the script. Lampion can be run discreetly on compromised systems since the DLL payloads are loaded into memory.
Lampion steals data from computers by retrieving injections from the C2 and overlaying its own login forms on login sites. These fake login forms are stolen and transmitted to the attacker when users submit their credentials.
According to Cofense’s recent analysis, Users should be wary of unsolicited emails requesting file downloads, even from reputable cloud services.
Impact
- Information Theft
- Credential Theft
Indicators of Compromise
MD5
- 3ebd37d3c4ec898dce7b4a4346aa7acb
- 8f7a9fce82d4debe0796b8d68097d611
- 735a251f921be84a2039cb2b58467e4e
- 9951c45e09990f06bc3e3758062c9ade
- e2c5416931f1c9369fb55e7adcf6364b
SHA-256
- 81df2c6c4287d2b9247b589d8e10efeb228270da5b3615642a2b5eaa00d22945
- a1f4fc0600d0971454d746a6ba87bbde56114a91119e95fc4ddb71f97452bb1a
- be703ee8d83c3eb95fd5a343fed3d2947d2b98955be3b6eb8dd4752be1047537
- cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8
- f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987
SHA-1
- aeb65c4fb8098086774e5af02ffa86e24406795a
- 795628c7899667bc53052bfd784cb520b79caa9c
- 7d69fd7e3eb693dc81778d58ea4c28af7997d341
- 27ef845a9562b989c38dd6d2eda42d31d7c2a354
- 57c960dc13b433a3fe3225b884fcbccc01c00c36
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open ” links and attachments received from unknown sources/senders.