Watch out - that WeTransfer link could be a phishing scam

New phishing campaign abuses a legitimate file-transfer service

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

If you get anemailfrom an unknown person, sharing a “Proof of Payment” document from WeTransfer, be careful as it’s most likelymalware.

Cybersecurity researchers from Cofense have found threat actors are now distributing the Lampion malware this way in greater volume.

Lampion is a known trojan, capable of stealing sensitive data, such as banking information, passwords, and similar. It does so by overlaying known login forms with its own, and then sending out the submitted data to its command & control servers.

Lampion distribution

What makes this campaign more dangerous than other, similar campaigns, is the use ofWeTransfer. This is a legitimatefile transferservice, making it extremely difficult for email security systems to flag it as malicious. What’s more, this is not the only legitimate service the crooks are abusing - they’re also leveragingAmazonWeb Services (AWS), and here’s how.

When a victim receives the email, and if they download the file, they’ll get a ZIP archive with a Virtual Basic Script (VBS) inside. The script, if run, connects to an AWS instance, and grabs two DLL files, also in protected ZIP archives. These DLLs, when activated (which is done automatically and with no user interaction whatsoever), are loaded into memory and allow Lampion to operate.

Lampion is a known trojan, that’s been used since 2019 Starting as malware targeting the Spanish-speaking community first, it has since gone international. This year, researchers said its distribution picked up pace, with some identifying a hostname link to Bazaar and LockBit.

These fake Android antivirus apps install a dangerous banking trojan>New Roblox trojan will land you with a nasty PC infection>Best ways to share big files: Cloud sharing large folders made simple

Email is still one of the best ways to distribute viruses, malware, or ransomware, despite the fact that email protection tools have gotten better over the years. Today, threat actors can leverage a number of free cloud tools, such as hosting providers, calendar organizers, and similar, to bypass security measures and distribute malicious code toendpointsaround the world.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics