The latest campaigns in Portugal were observed during February 2020, according to the threat indicators available at 0xSI_f33d – The Portuguese Abuse Open Feed. A new modified version of this malware was observed during May 2020 using template emails that impersonate an invoice from a Bank transaction, an invoice from Vodafone Group, and in another scenario, emergency funds provided by the Portuguese Government to help the COVID-19 fight.
Below, the email templates on how Lampion has been distributed in May 2020 in Portugal are presented.
SAPO TRANSFER TEMPLATE
On May 8th, 2020, a fresh version of Lampion trojan was distributed using templates using the SAPO Transfer Cloud and the email related to a bank transfer.
Figure 1: Lampion malware distributed via SAPO TRANSFER cloud.
As noted in previous campaigns, the threat is distributed on a VBS file along with other documents to lure victims.
Figure 2: Message included by crooks inside the PDF file.
VODAFONE GROUP INVOICE TEMPLATE
In this scenario, a Microsoft Installer (MSI) file was used to disseminate the threat. The malicious file is downloaded from the Google API Cloud.
Figure 3: Lampion trojan distributed via an MSI file hosted on Google API Cloud.
PORTUGUESE GOVERNAMENT TEMPLATE / COVID-19
Also, an MSI file was used to infect the victims (formulario_emergencial_gov.msi). In this case, the malicious file was downloaded from an AWS S3 bucket. The modus operandi both malicious MSI file is the same and explained below. We are living in an era where crooks taking advantage of the pandemic situation to launch new waves of phishing and malware every day.
Figure 4: Malicious MSI file downloaded from AWS S3 bucket and using COVID-19 theme that impersonates the Portuguese Government.
According to the first appearance of this banking trojan in December 2019, the modus operandi remains as documented here. Only the way how the malware is distributed has been changed along the time.
As observed in Figure 2, this is the classic form of Lampion. It poses as a VBS file along with other files, including an image and a PDF file to lure the victims.
Nonetheless, Figure 3 and Figure 4 show another way how Lampion has been spread. Crooks are using an MSI file with the VBS file inside (1st stage), that is executed to infect the victim’s device. Also, the VBS file is harder to understand, it is a bit bit more overshadowed in contrast to the initial samples. In brief, these are the only changes observed in these fresh samples in contrast to December 2019.
Analyzing the MSI file from Figure 4, it poses as a file sent from the Portuguese Government to help in the COVID-19 fight.
Inside the MSI file is available the VBS file (Lampion – 1st stage), which is installed on “C:\Programs File (x86)\Firefox_2020-*\Firefox_2020-*” when the MSI file is executed.
Figure 5: Lampion MSI file with the VBS file (1st stage) inside.
Figure 6: MSI file installation dropping the VBS file (1st stage) inside the C:\Programs Files (x86) folder.
Figure 7: VBS file (1st stage) available and executed from C:\Programs Files (x86) folder.
From this point, the malware process is the same how documented in December 2019. However, the VBS file is now harder, with a new obfuscation round (see Figure 8 below).
Figure 8: Snippet of code – obfuscation differences between the VBS samples; December 2019 and May 2020.
The next stage is downloaded through the execution of the VBS file on the infected device. In order to decode the URLs, we use the snippet of code available here.
The analyzed samples (2nd stage) are download from the Google Cloud instead of AWS S3 buckets; as observed between December 2019 and February 2020.–SAMPLES SAPO TRANSFER TEMPLATE–~wa^6jfjdfHik0z%S%miBj:emhVW\]+[W$\]Ve0e*];b.[&WifM_BiD$2YBePcj%^j1[bWScc#=cYe/Z+kYbOeEiufz%O&I$pp-_,fA’hxxps://storage.googleapis.]com/team-modulosp/0.]zipzH$^Uj[jHf2ir0[%u%YiEj’elhKW@]s[`$5]0e6e:]`bB[<WLf7_Gi*$FYZe+cp%ojP[‘W;co#lcLeIZ]krb’eTimf(%PF=#Z’c(h#:/^$}Z~bZbjHhxxps://storage.googleapis.]com/team-modulosp/P-12-9.]dll– SAMPLES PORTUGUESE GOVERNMENT TEMPLATE / VODAFONE GROUP TEMPLATE –hxxps://storage.googleapis.]com/team-modulo/0.]ziphxxps://storage.googleapis.]com/team-modulosp/P-1-20.]dll
The code and behavior of the malware are the same in the samples shared above, however, criminals introduce “new lots of junk” in each sample as a means of bypassing AV signatures.
In order to corroborate that, it is possible to check the size of the PE files below.
Figure 9: Size of two samples distributed in Portugal during May 2020.
Both the files are executable files, with a difference in the size of the file. As mentioned, a lot of junk is put inside the PE file increasing, thus, the file entropy and to bypass AV signatures.
Figure 10 shows image resources included inside the binary. In detail, 52.5MB from the total (63.3MB) are only populated by 12 images, including a BPM image file of around 27 MB.
Figure 10: Image resources inside the malware to increase the file size.
As noticed on other Trojans from Brazil, it was also coded in Delphi using the Embarcaredo IDE to build the executable file. In addition, the IDE version used to build these samples is the same used to build the sample of December 2019.
Figure 11: Embarcadero Delphi version used in December 2019 also observed in May 2020.This indicator shows what was observed during the analysis of the Trojan: only minor changes were made, such as: changing the address of the C2 server.The URLs themselves encoded to send information about the victim to C2 have the same name, e.g.: “PostaEstaBosta.php“.More IOCs and C2 are presented towards the end of the publication. For more details about this malware see the initial publication from here.
When installed, the trojan can be used by crooks to launch overlay windows on the victim’s device. The number of templates used and affected organizations are huge, including Brazilian, and Portuguese banks as presented below.
Figure 12: Messages used to create overlay windows and triggered when the victim accesses the target banking portal.
The malware is “sleeping” and “resumes” its operation when the following bank portals are accessed by the victim (including bitcoin portals).aplicativo bradescobanco bradescomercado bitcoinbanking bnbbanco montepiomontepiomillenniumbcpSantanderBPI NetBanco BPIBPICaixadirectaCaixadirecta EmpresasCGDNOVO BANCOEuroBicCrédito AgrícolaLogin PageCA EmpresasBankinternavegador exclusivoTravaBBBanco do BrasilCaixa EconomicaBANRITRAVARMercado BitcoinTravaBitcoBanco OriginalCitibankitauaplicativo.exe
The overlay windows are invisible when malware is running and are triggered when the specific banking portal is accessed.
Figure 13: Overlay windows invisible during malware execution – sleeping.
Lampion trojan can be also used by crooks to manually launch a specific page remotely.
Figure 14: Trojan feature to trigger manually overlay windows.
Next, when a specific banking portal is accessed, the overlay windows are displayed (Figure 13 above), and data is sent to the C2 server.
Figure 14: Overlay windows triggered when a specific banking portal is accessed.
Next, some details about the infected machine sent to the C2 server, including the computer name, SO, AV, etc.
Figure 15: Detais sent to C2 server.
Figure 16: Lampion C2 authentication portal geolocated in Japan.
Malware is nowadays one of the major cyber weapons to destroy a business, market reputation, and even infect a wide number of users. The next list present some tips on how you can prevent a malware infection. It is not a complete list, just a few steps to protect yourself and your devices.
And last but no the least, do not execute files and content from untrusted locations.
Additional details, including the Indicators of Compromise (IOCs), are available in the analysis published by Pedro Tavares.
About the author Pedro Tavares
Pedro Tavares is a professional in the field of information security, working as an Ethical Hacker, Malware Analyst, Cybersecurity Analyst and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
(SecurityAffairs – Lampion Trojan, hacking)