Recent reports show that the infamous Lampion malware is being distributed much more frequently lately, with cybercriminals abusing WeTransfer as an integral element of their insidious phishing campaigns.

A legitimate service designed for file sharing, WeTransfer can be used entirely free of charge. As a result, it offers a zero-cost option to bypass security software solutions that might not raise the alarm about the URLs included in email messages.

Attack campaign unearthed by cybersecurity experts on email

In a brand-new threat campaign discovered by specialist email security company Cofense, threat operators using Lampion malware are transmitting phishing emails from enterprise accounts they have compromised that urge users to download a document regarding “Proof of Payment” via a WeTransfer.

The malicious file that victims receive is in fact a ZIP archive that contains a Virtual Basic script (or VBS for short) file that they must launch for the phishing attack to be unleashed.

Following execution, the VBS file initiates a dedicated WScript process that produces four different VBS files that feature random naming. While the first file is empty and the second one has minimal functionality, the third VBS file has a specific purpose – to launch yet another script.

Analysts based at Cofense have commented that the exact purpose of using this additional step remains unclear. However, modular execution approaches are usually preferred for the versatility they offer enabling far easier easy file-swapping activities.

The experts did find, however, that the fourth script launches an all-new WScript process that then connects to two different hardcoded URLs. This fetches two separate DLL files that are hiding inside the password-protected ZIP files. The dedicated URLs point towards Amazon AWS instances.

The set password for the ZIPs is hardcoded into the script. As a result, the archives are automatically extracted without needing any user interaction. The self-contained DLL payloads are then loaded into the device’s memory, enabling Lampion malware to be executed stealthily on any compromised systems.

Once this stage is complete, the Lampion malware starts stealing data from the device, targeting user bank accounts by retrieving injections from its command-and-control server before overlaying its login forms onto legitimate login pages. When a user enters their confidential credentials, these bogus login forms will be sent to directly to the threat operator.

Lampion malware upgraded

The trojan malware Lampion has been around for many years and dates to at least 2019. It has a history of focusing on Spanish-speaking targets predominantly and utilising compromised servers for hosting its malicious ZIP files.

Last year, Lampion was observed abusing cloud services for its malware hosting for the first time. Examples included pCloud and the popular Google Drive.

However, more recently, this year in March, Cyware documented an upswing in the trojan malware’s distribution, and identified a new hostname link to the cybercriminal LockBit and Bazaar operations.

Researchers at Cyware reported additionally that Lampion’s creators were actively attempting to make the trojan harder to analyse by adding junk code and additional obfuscation layers.