Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label File Share Servers. Show all posts

Threat Actors Exploit WeTransfer to Spread Lampion Malware

 

In a new phishing campaign unearthed by Cofense researchers, the Lampion malware is being distributed massively, with hackers exploiting WeTransfer as part of their campaign.

WeTransfer is an internet-based computer file transfer service that can be utilized free of cost, hence it's a no-cost way to circumvent security software that may not detect URLs in emails. 

The malware authors are sending phishing emails from exploited firm accounts requesting customers to download a "Proof of Payment" document from WeTransfer. 

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the user must open in order for the attack to begin. Upon clicking on the file, the script launches a WScript process that manufactures four VBS files with random names. The first is empty, the second has limited functionality, and the third's sole motive is to launch the fourth script. 

According to Cofense researchers, this extra step is unclear, but modular execution approaches are typically preferred for their versatility, allowing easy file swaps. The fourth script initiates a new WScript process that links to two hardcoded URLs to retrieve two DLL files concealed inside password-protected ZIPs. The malicious links lead to Amazon AWS instances. 

The ZIP file password is concealed in the script, so the archives are extracted without user communication. The contained DLL payloads are loaded into memory, allowing Lampion to be stealthily executed on compromised systems. 

Subsequently, the malware initiates extracting data from the computer, and bank accounts, and overlaying its own login forms on login pages. These fake bogus forms are stolen and sent to the hacker when users enter their credentials. 

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users and employing exploited servers to deploy its malicious ZIPs. 

Last year, the malware was identified exploiting cloud services for hosting the malware for the first time, including Google Drive and pCloud. Recently, in March 2022, Cyware reported an increase in trojan distribution, identifying a hostname link to Bazaar and LockBit operations.

Prevention Tips 

Researchers advised users to apply the following mitigations to defend against malware attacks: 
  • Update software, including operating systems, applications, and firmware frequently 
  • Install OS patches when they are available 
  • Enforce MFA to the greatest extent possible 
  • If you use RDP and/or other potentially risky services, secure and monitor them closely 
  • Employ cryptographic vaults for data safety

Cyber Attack: Computer Systems of Lakehead University Remains Offline

 

Lakehead University (LU) based in Ontario; Canada is currently dealing with the cyber-attack that hit the institution on Tuesday; Consequently, the computer systems remain offline as of now. Soon after the attack, the university shut down the computers at Thunder Bay and Orillia campuses as a precautionary measure.

Lakehead provided the update on the cyber-attack investigation by stating that the attack was directed at the file share servers of the university. Technology Services Centre staff were quick enough to respond to the attack and managed to remove all access to those services which were directly linked to the file share servers. 

However, it remains unclear in the text sent by the university to the students and staff, how the threat actors managed to secure access to the information system of the university: “Lakehead University’s Technology Services Centre (TSC) team is currently managing a cyber attack that is affecting our campuses’ server. In order to protect our systems and data as much as possible, TSC has removed all access to our servers which affects both our campuses.” 

The university staff is working to determine specifically which servers, and data, were affected by the assault. To figure out the source of the attack university has collaborated with the security experts and to help the staff to resolve the issue. Later on Thursday, Lakehead released another update stating they have postponed the two virtual tours of their campuses due to this cyber-attack. The attack has also impacted the academic year of the students and the university is reviewing the key dates. 

The statement released by the university reads, “As course requirements and deadlines differ across programs, individual students may be impacted in multiple and varying ways. Faculties are currently reviewing the situation and students will be updated by program or individual instructors about how concerns relating to assignments, exams, and similar issues will be addressed.”