There’s a new Trojan in town – “The Lampion Trojan”, this malware as discovered by security researchers is distributed via phishing emails that target Portuguese users and it appears like it’s from Portuguese Government Finance & Tax.
How does it attack?
- The Segurance Informatica-Lab (SI-Lab) reports that the phishing email that distributes the Trojan impersonates government mails, this time from Portuguese Government Finance & Tax.
- The email messages users about their debt from the year 2018.
- Then it asks the user to click on a link to clear issues and avoid being scammed.
- As soon as the victim clicks on the link available in the body of the email, the malware Trojan is downloaded in the system from the online server.
- The file that is downloaded is a compressed file called FacturaNovembro-4492154-2019-10_8.zip.’ When it is unzipped by the user, they will see three files – a PDF, VBS, and a text file.
- This file Factura Novembro-4492154-2019-10_8.zip is just the first phase of the infection chain of the trojan. It acts as a dropper and a downloader.
- The dropper then downloads the next set of files from the online server. As the file is executed, it downloads two more files – P-19-2.dll and 0.zip. This P-19-2.dll is the actual Lampion trojan.
- The dll file contains a name in Chinese and a message for the victim.
The Lampion Trojan-
The Lampion Trojan is an improvised form of the Trojan-Banker.Win32Chierrofamily, developed in Delphi. It has both anti-debug and anti-VM techniques that make it removal quite difficult both in a sandbox environment or manually.
Security researchers found some features in the captured samples of the Trojan and found out that it can perform following actions- Remote Connection; Startup
Network; Resources Retrieval; Network Resources Manipulations and Redirect
Folder Path; Retrieval
Messages Communications; Communications Parameters Changes; Custom Functions; Dialog Box; Spawning
Code and Logic Storage.
Cyware social reports that “Lampion trojan is involved in capturing data belonging to both the users and infected systems. The collected information includes system information pages, installed software, web browser history, clipboard, details of the file system, etc.”
It can also give access to hackers to perform functions in the infected machine through a web interface.