New Lampion Trojan Found Attacking Portuguese Users
How does it attack?
- The Segurance Informatica-Lab (SI-Lab) reports that the phishing email that distributes the Trojan impersonates government mails, this time from Portuguese Government Finance & Tax.
- The email messages users about their debt from the year 2018.
- Then it asks the user to click on a link to clear issues and avoid being scammed.
- As soon as the victim clicks on the link available in the body of the email, the malware Trojan is downloaded in the system from the online server.
- The file that is downloaded is a compressed file called FacturaNovembro-4492154-2019-10_8.zip.’ When it is unzipped by the user, they will see three files – a PDF, VBS, and a text file.
The file-
- This file Factura Novembro-4492154-2019-10_8.zip is just the first phase of the infection chain of the trojan. It acts as a dropper and a downloader.
- The dropper then downloads the next set of files from the online server. As the file is executed, it downloads two more files – P-19-2.dll and 0.zip. This P-19-2.dll is the actual Lampion trojan.
- The dll file contains a name in Chinese and a message for the victim.
The Lampion Trojan-
The Lampion Trojan is an improvised form of the Trojan-Banker.Win32Chierro family, developed in Delphi. It has both anti-debug and anti-VM techniques that make it removal quite difficult both in a sandbox environment or manually. Security researchers discovered some features in the captured samples of the Trojan and found out that it can perform the following actions- Remote Connection; Startup Network; Resources Retrieval; Network Resources Manipulations and Redirect Folder Path; Retrieval Messages Communications; Communications Parameters Changes; Custom Functions; Dialog Box; Spawning Code and Logic Storage.
Cyware social reports that “Lampion trojan is involved in capturing data belonging to both the users and infected systems. The collected information includes system information pages, installed software, web browser history, clipboard, details of the file system, etc.”
It can also give access to hackers to perform functions in the infected machine through a web interface.