Lampion Trojan Evolves With Improvements in the VBS Downloader

The Lampion trojan has been observed spreading via phishing and spear-phishing attack waves in the past few years. A recent attack wave has been observed targeting several Portuguese and Brazilian banking organizations and also some cryptocurrency platforms since June.

Lampion Trojan banker evolution

Security researcher Pedro Tavares analyzed an email associated with the new phishing campaign and recognized fresh improvements in the way the malware loader (the initial VBS file)operates.
  • The campaign used a fake template from SAPO Transfer with the message inside the email referring to any missing payment or invoice and distributed a PDF file inside a ZIP file, with a VBS downloader inside.
  • The VBS file, when executed, serves as a downloader for the infection chain. Once executed, it downloads additional files from online Clouds, such as AWS, Microsoft, SAPO, and Google Cloud. Then it finally executes the infection process.
  • The noticeable changes in the latest version include - changes in the VBS downloader (now the DLL injection executes the 1st stage), improvements in anti-VM techniques, and changes in the C2 server (geolocated in Russia) communication process.

Lampion history

Lampion malware has been identified as the most protrusive malware targeting Portuguese organizations since December 2019. Since the first appearance until now, it has become highly obfuscated and dangerous.
  • In May, Lampion Trojan added a new obfuscation layer and a new C2. It impersonated an invoice from a Bank transaction, an invoice from Vodafone Group, and in another scenario, emergency funds provided by the Portuguese Government to fight the COVID-19.
  • In February, Lampion v2 was found using phishing lures related to the Portuguese Government Finance & Tax (ATA) department, Energias de Portugal (EDP), and the DPD firm.