New WeTransfer phishing attacks involve reemerging Lampion malware

Threat actors have launched a new phishing campaign exploiting the file-sharing service WeTransfer to facilitate the distribution of the Lampion malware, according to BleepingComputer. Cofense researchers discovered that the new campaign involves phishing email recipients being urged to download a WeTransfer "Proof of Payment" document, which is actually a ZIP archive with a Visual Basic Script file necessary for the commencement of the attack. Four scripts were discovered to be created by the WScript process initiated by the VBS file, with the first and second being empty and having little functionality, respectively, while the third script only triggers the fourth, noted researchers. The report also showed that a new WScript process is launched by the fourth script, with the new process facilitating the retrieval of two DLL files from password-protected ZIPs. Lampion malware will then be stealthily executed to commence exfiltration of data and targeting of bank accounts, the report added.