VBS is contained in a ZIP Transfer archive that is delivered to the victim if they choose to open the file attached to the email.
A “Proof of Payment” document from We Transfer that arrives in an email from an unknown sender should raise red flags because it is likely malicious software. According to research conducted cybercrime safety engineers globally, threat actors are increasingly replicating the Lampion malware in this approach.
What Is Lampion?
Lampion is a well-known virus that steals personal information like passwords and financial details. This is achieved by superimposing malicious login forms on genuine ones and transferring the entered data to the attackers’ command and control servers.
The usage of WeTransfer elevates the hazard level of this campaign in comparison to others of its kind. Due to the fact that this is a legal file sharing platform, it is very difficult for email filters to identify it as malicious. In addition, criminals are not just misusing this one legal service; they are also making use of Amazon Web Services (AWS). Let’s have a quick look at how these scammers do the hacking.
Virtual Basic Script (VBS) is contained in a ZIP Transfer archive that is delivered to the victim if they choose to open the file attached to the email. Should you choose to run the script, it will establish a connection to an Amazon Web Services (AWS) instance and download two DLL files, both of which are packaged in password-protected ZIP folders. These DLLs are loaded into memory when Lampion is activated (which happens automatically and requires no user input).
The Lampion trojan is well-known and has been in use since 2019. It started out as malware affecting only those who spoke Spanish, but has since spread around the world. Researchers have noted a rise in its transmission this year, with some attributing its hostname to Bazaar or LockBit.
Despite improvements in email security software, email is still a popular vector for the spread of malicious code like viruses, malware, and ransomware. Today’s threat actors can nullify security measures and spread malicious code to endpoints(opens in new tab) around the world by utilising a variety of free cloud tools, such as hosting providers, calendar organisers, and similar.