Operators behind the Lampion banking trojan have released a new set of phishing attacks to target users. The phishing attacks leverage the well-known file-sharing software, WeTransfer, to bypass email security checks.

About the new phishing attack

  • In a new campaign observed by Cofense, Lampion operators are sending phishing emails from compromised company accounts, asking recipients to download a ‘Proof of Payment’ as well as other documents from WeTransfer. 
  • However, the file downloaded is a ZIP archive containing a VBS script that initiates the attack.
  • Upon execution, the script initiates the WScript process that connects to two hardcoded URLs to fetch DLL files. These DLL files are responsible for deploying the Lampion banking trojan on victims’ systems. 
  • The goal of the malware is to pilfer bank account details from infected computers. This is done by tricking users into entering their credentials on fake login forms. 

More details

What makes the campaign more dangerous is the attackers using more than one legitimate service to spread across systems. In addition to WeTransfer, the criminals are also leveraging Amazon Web Services (AWS).

What the users must be aware of?

The Lampion trojan, which was primarily designed to target Spanish-speaking users, has gone international in the last few years. This year, researchers said its distribution picked up the pace, with some identifying a hostname link to Bazaar and LockiBit 2.0 ransomware.
Cyware Publisher