Cybersecurity researchers from Cofense have found threat actors are now distributing the Lampion malware this way in greater volume.
Lampion is a known trojan, capable of stealing sensitive data, such as banking information, passwords, and similar. It does so by overlaying known login forms with its own, and then sending out the submitted data to its command & control servers.
What makes this campaign more dangerous than other, similar campaigns, is the use of WeTransfer. This is a legitimate file transfer service, making it extremely difficult for email security systems to flag it as malicious. What’s more, this is not the only legitimate service the crooks are abusing – they’re also leveraging Amazon Web Services (AWS), and here’s how.
When a victim receives the email, and if they download the file, they’ll get a ZIP archive with a Virtual Basic Script (VBS) inside. The script, if run, connects to an AWS instance, and grabs two DLL files, also in protected ZIP archives. These DLLs, when activated (which is done automatically and with no user interaction whatsoever), are loaded into memory and allow Lampion to operate.
Lampion is a known trojan, that’s been used since 2019 Starting as malware targeting the Spanish-speaking community first, it has since gone international. This year, researchers said its distribution picked up pace, with some identifying a hostname link to Bazaar and LockBit.
Email is still one of the best ways to distribute viruses, malware, or ransomware, despite the fact that email protection tools have gotten better over the years. Today, threat actors can leverage a number of free cloud tools, such as hosting providers, calendar organizers, and similar, to bypass security measures and distribute malicious code to endpoints (opens in new tab) around the world.
Via: BleepingComputer (opens in new tab)