Lampion Trojan Utilizes New Delivery through Cloud-Based Sharing
By Andy Mann and Dylan Main, Cofense Phishing Defense Center
Analysts at the Cofense Phishing Defense Center (PDC) have recently analyzed an email asking users to download a “Proof of Payment” as well as other documents. While it is important to never click on the link(s) or download the attachment(s) of any suspicious email, if the recipient interacts with the link, it downloaded the malware Lampion.
The Lampion banking trojan has been around since 2019, but this is the first time it has been analyzed by the PDC. While it has not yet been determined who exactly is behind the malware, it is known for using a VBS loader. Fortunately, threat actors have been spotted by PDC analyst using a new form of delivery for that very VBS file. Using the trusted cloud platform used for payments, WeTransfer, threat actors are attempting to gain the trust of users while taking advantage of the service provided by the popular site. By leveraging a trusted payment site, it’s not surprising to see threat actors align their email message for this process. A well-conditioned user quickly reported this email that mitigated the threat of the malware infection.
English translation: Good afternoon, I send proof of payment and documents on the link: hXXps://we[.]tl/t-pNvQIG8UJS I subscribe with high esteem and best regards
In Figure 1, the threat actor used a very simple email message to engage the recipient. The strongest tactic taken would is spoofing a legitimate company, which could potentially be a result of compromised credentials. The email sent to the recipient is sent a proof of payment and other documents, which are accessible at the URL hXXps://we[.]tl/t-pNvQIG8UJS. When the recipient interacts with the URL they are directed to the page where they can download a ZIP file containing the documents referenced in the email.
While email security continues to evolve to protect the organization, threat actors are constantly looking for opportunities to land in the inbox. This is why it is critical to provide your users with simulations aligned with the latest threats. Customers of the Cofense PDC can ease or confirm their suspicions by reporting suspicious emails to the PDC where an analyst will analyze the email for emerging threats. Contact us to learn more.
|Indicators of Compromise||IP|
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.