Lampion, a banking Trojan, was analyzed as delivered through a phishing email that directs victims to a cloud-based link to obtain a ZIP file. The campaign uses a VBScript loader and WScript to fetch DLL payloads, which are injected into memory to steal banking data; the delivery relies on spoofing a legitimate company via WeTransfer. #LampionTrojan #WeTransfer #VBScript #WScript
Keypoints
- The Lampion banking Trojan is delivered via a phishing email that asks recipients to download a “Proof of Payment” and related documents from a link.
- The email spoofing of a legitimate company is used to improve trust and lure the user into clicking the link.
- The link leads to a ZIP file containing VBS-based loaders; a VBScript (Comprovativo de pagamento de fatura_517-TEG_22-08-2022 20-09-24_28.vbs) launches a wscript process to drop additional scripts.
- Two additional VBS files are created in AppDataLocalTemp and AppDataRoaming, with a larger VBS (xjfgxhakusp.vbs) driving the final stage.
- The final stage contacts two payload URLs to download DLLs, including a password-protected ZIP whose password is embedded in the malware.
- The DLLs are injected into memory, enabling Lampion to operate as a banking Trojan and steal credentials.
- Indicators of Compromise include specific URLs and IPs tied to the attack infrastructure (WeTransfer links and Amazon S3 hosts).
MITRE Techniques
- [T1566.002] Phishing – Spearphishing Link – The email body entices recipients to click a link and download a ZIP. Quote: “…English translation: Good afternoon, I send proof of payment and documents on the link: hXXps://we[.]tl/t-pNvQIG8UJS I subscribe with high esteem and best regards”
- [T1036] Masquerading – Spoofing a legitimate company to gain trust and increase likelihood of interaction. Quote: “The strongest tactic taken would be spoofing a legitimate company”
- [T1059.005] VBScript – VBScript loader used to initiate the malicious process via WScript. Quote: “The VBS file, Comprovativo de pagamento de fatura_517-TEG_22-08-2022 20-09-24_28.vbs, is the file of concern as this launches the script, to lead the malicious process.”
- [T1105] Ingress Tool Transfer – The loader reaches out to remote payload URLs to download the final DLLs. Quote: “The bottom URL will download a password-protected ZIP that holds the DLL”
- [T1564.001] Hide Artifacts – Password-protected ZIP used to conceal payload contents until extraction. Quote: “password-protected ZIP that holds the DLL, but the password is hardcoded into the malicious process itself.”
- [T1055.001] Process Injection – DLLs are injected into memory after download. Quote: “The DLLs are then finally injected into the memory.”
Indicators of Compromise
- [URL] Delivery link – hXXps://we[.]tl/t-pNvQIG8UJS, context: phishing link leading to ZIP download
- [URL] WeTransfer download – hXXps://wetransfer[.]com/downloads/d8c6430f0c15ee79cb72ea2083f4a07420220830135534/b872b1, context: final payload delivery
- [URL] Amazon S3 host 1 – hXXps://aculpaedopt[.]s3[.]us-east-2[.]amazonaws[.]com/soprateste.zip?=ttvuawzgbpiqawlaarfnlxatyebabbwpriceiqupxmmzuix
- [URL] Amazon S3 host 2 – hXXps://aculpaedopt[.]s3[.]us-east-2[.]amazonaws[.]com/oftvwaiyg?=wiyjxpnveuzmgakjpgcjitnjwxaizzzbzmibklzkokxitcgpmso
- [IP] 13.249.39.48 – context: associated with one of the delivery servers
- [IP] 108.128.47.24 – context: associated with one of the delivery servers
- [IP] 52.219.104.24 – context: associated with one of the delivery servers
- [IP] 52.219.177.178 – context: associated with one of the delivery servers
- [Domain] we.tl – context: used as the link domain in the phishing CTA
- [Domain] wetransfer.com – context: legitimate service leveraged for hosting payload
Read more: https://cofense.com/blog/lampion-trojan-utilizes-new-delivery-through-cloud-based-sharing