Lampion malware: what it is, how it works and how to prevent it | Malware spotlight

Introduction 

The Lampion malware is spread through emails containing a link that downloads a .zip file with malicious files in it. It’s a banking Trojan: criminals developed it to steal information related to banking portals from the victim’s devices or make fraudulent transactions.

This form of malware is a big challenge from the banking security team’s point-of-view, as the accesses are performed through the victim’s device — a trusted device.

How Lampion spreads

Lampion was identified by Segurança-Informática (SI) LAB in December 2019. This malware has spread via phishing campaigns using the Portuguese Government Finance & Tax’s email templates. It requires the recipients to click on a link within the email to avoid being misled by criminals. [CLICK IMAGES TO ENLARGE]

Figure 1: Lampion email templates

In the detail above, the email reports issues related to debt for the year 2018 and attaches a malicious file. When the victim clicks on the link available on the email, the malware gets downloaded from the online server generally hosted on AWS S3 buckets (a trusted repository).

The downloaded file called “FacturaNovembro-4492154-2019-10_8.zip” has another three files inside: a PDF, VBS and a TXT file. The VBS file is responsible for starting the malicious chain when the victim manually executes the file.

How Lampion works

When the victim opens the VBS file, the infection chain starts. The script is a Trojan downloader that gets two files from the AWS buckets — a ZIP file called 0.zip and another file identified as a DLL (P-19-2.dll).

Figure 2: High-level overview of Lampion modus operandi

The VBS file is obfuscated to complicate its analysis and detection by antivirus engines. The downloaded files are the malware’s next stage, where the .dll file is the malware itself (in fact, it’s in the PE file) (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Pedro Tavares. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/J-WwdvJOdpk/