Newly Discovered Lampion Trojan Found Targeting Portuguese Users

• The trojan is distributed via phishing emails that appear to come from the Portuguese Government Finance & Tax.
• The email reports issues related to debt for the year 2018.

Security researchers have uncovered a new trojan named Lampion. The trojan is distributed via phishing emails and targets Portuguese users.

How does it spread?

As reported by Segurance Informatica-Lab (SI-Lab), the phishing email used to distribute the trojan appears to come from the Portuguese Government Finance & Tax. The email reports issues related to debt for the year 2018.

It asks the recipients to click on a link within the email to avoid being misled by criminals. When the unsuspected victim clicks on the link available on the email body, the malware gets downloaded from the online server.

The downloaded file is a compressed Zip file called ‘FacturaNovembro-4492154-2019-10_8.zip.’ When it is unpacked by the user, they will see three files - a PDF, VBS, and a text file.

What is the file about?

• The file ‘FacturaNovembro-4492154-2019-10_8.zip’ is the first stage of the Lampion’s infection chain. This is a VBScript file that acts as a dropper and downloader.
• The dropper downloads the next stage from the compromised server available on the internet on an AWS S3 bucket.
• Once the VBScript file is executed, two files - P-19-2.dll and 0.zip - are downloaded. The P-19-2.dll file is a PE file that is executed during a VBScript execution when the affected computer starts. This P-19-2.dll file is actually the Lampion trojan.
• This DLL contains a name in the Chinese language with a targeted message for Portuguese users.

What is Lampion?

• Lampion looks like an improvised form of the Trojan-Banker.Win32.ChePro family.
• It is developed in Delphi.
• It includes anti-debug and anti-VM techniques to make it difficult to both on a sandbox environment or manually.

Some of the features that are part of the captured Lampion samples include the following actions:

• Remote Connection Startup
• Network Resources Retrieval
• Network Resources Manipulations and Redirect
• Folder Path Retrieval
• Messages Communications
• Communications Parameters Changes
• Custom Functions
• Dialog Box Spawning
• Code Logic Storage

Lampion trojan is involved in capturing data belonging to both the users and infected systems. The collected information includes system information pages, installed software, web browser history, clipboard, details of the file system, etc.

The trojan also allows hackers to access and manipulate the infected machines via a specially designed web interface.