Watch out for the fact that the WeTransfer connection might be a phishing scam

Watch out for the fact that the WeTransfer connection might be a phishing scam ...

Be sure you receive an email from an unknown person, which includes a Proof of Payment form from WeTransfer. It is very probable that malware may be used.

Threat groups are now using the Lampion malware, according to Cofense''s cybersecurity experts.

Lampion is a known trojan capable of collecting sensitive information, such as banking information, passwords, and others. It does so by overlaying known login forms with its own, and then sending out the submitted data to its command and control servers.

Lampion distribution

This is why WeTransfer is a legitimate file transfer service that makes it extremely difficult for email security systems to label it as malicious. Besides, these organisations are also using Amazon Web Services (AWS) and heres how.

When a victim receives an email, and when they download the file, theyll receive a virtual basic Script (VBS) inside. The script, if executed, connects to an AWS instance, and grabs two DLL files, including one in protected ZIP archives. These DLLs, when activated (which is done automatically and without any user interaction whatsoever), are loaded into memory and allow Lampion to operate.

Lampion, a known trojan, has been used since 2019. It has since become international, starting as a malware program targeting the Spanish-speaking community. This year, researchers said its distribution improved, with some identifying a hostname connection to Bazaar and LockBit.

Despite the fact that email protection tools have improved in the years, threats can leverage a number of free cloud tools, such as hosting providers, calendar organizers, and others to avoid security measures and distribute malicious code to endpoints around the world.