Rewterz Threat Alert – Lampion Malware Returns Using WeTransfer As Part Of Their Phishing Attacks – Active IOCs

Severity

High

Analysis Summary

Since at least 2019, the Lampion trojan has been active, primarily targeting Spanish-speaking targets and hosting its malicious ZIPs on infected servers.
Most recently, threat actors have started employing WeTransfer as part of their phishing attempts to spread the Lampion malware in greater numbers. WeTransfer, a legitimate file-sharing service, can be used for free to bypass security software that may not raise alarms about URLs in emails.
Phishing emails are being sent through compromised corporate accounts by Lampion operators, pushing customers to download a “Proof of Payment” document from WeTransfer. – recent campaign observed by Cofense. 

Malicious ZIP file – Cofense: source

The file sent to the targets is a ZIP archive containing a Virtual Basic script file that the victim must run in order for the attack to commence.
When the script is run, a WScript process starts that generates four VBS files with arbitrary names. The first script is completely empty, the second only has basic functionality, and the third script serves simply to start the fourth script.

The ZIP file password is hardcoded in the script. Lampion can be run discreetly on compromised systems since the DLL payloads are loaded into memory. 
Lampion steals data from computers by retrieving injections from the C2 and overlaying its own login forms on login sites. These fake login forms are stolen and transmitted to the attacker when users submit their credentials.

According to Cofense’s recent analysis, Users should be wary of unsolicited emails requesting file downloads, even from reputable cloud services.

Impact

• Information Theft
• Credential Theft

Indicators of Compromise

MD5

• 3ebd37d3c4ec898dce7b4a4346aa7acb
• 8f7a9fce82d4debe0796b8d68097d611
• 735a251f921be84a2039cb2b58467e4e
• 9951c45e09990f06bc3e3758062c9ade
• e2c5416931f1c9369fb55e7adcf6364b

SHA-256

• 81df2c6c4287d2b9247b589d8e10efeb228270da5b3615642a2b5eaa00d22945
• a1f4fc0600d0971454d746a6ba87bbde56114a91119e95fc4ddb71f97452bb1a
• be703ee8d83c3eb95fd5a343fed3d2947d2b98955be3b6eb8dd4752be1047537
• cd9d625e9fe6116f5f5e938ae9f693e10529df238b4e2bbd974f6d5c41f96aa8
• f085588cf016993e6298640bf797c1d31b61a8087a3240d517a53a5a58474987

SHA-1

• aeb65c4fb8098086774e5af02ffa86e24406795a
• 795628c7899667bc53052bfd784cb520b79caa9c
• 7d69fd7e3eb693dc81778d58ea4c28af7997d341
• 27ef845a9562b989c38dd6d2eda42d31d7c2a354
• 57c960dc13b433a3fe3225b884fcbccc01c00c36

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open ” links and attachments received from unknown sources/senders.