Last days of 2019 were the perfect time to spread phishing campaigns using email templates based on the Portuguese Government Finance & Tax. SI-LAB noted that Portuguese users were targeted with malscam messages that reported issues related to a debt of the year 2018.
In detail, the emails are related to the Rendimento de Pessoas Singulares – IRS (annual tax declaration), and any citizen who has received the message can be misled by criminals – as the end of the year is the right time to discuss issues within this context.
The malware was named ‘Lampion’ as this is the name used as part of its internal name. Regarding a broad analysis, it looks like the Trojan-Banker.Win32.ChePro family, but with improvements that make hard its detection and analysis.
In brief, when the victim clicks on the links available in the email body the malware is downloaded from the online server. The downloaded file is a compressed file (.zip) called: FacturaNovembro-4492154-2019-10_8.zip.
As observed, after extracting the file, three files are presented.
The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket.
The trojan Lampion uses anti-debug and anti-vm techniques. The use of a commercial protector known as VMProtector 3.x and also specially crafted codes make it difficult to analyze both on a sandbox environment or manually.
After the VBScript file is executed, two files are downloaded: P-19-2.dll and 0.zip. The P-19-2.dll file (Lampion) is a PE File that is executed during a VBScript execution when the affected computer starts. That file invokes the second file, 0.zip, that is a DLL file with additional code on C2 and how the trojan gets details from the user’s computers. This DLL contains a name in the Chinese language with the following target message for Portugal: “Your group of Portuguese suckers”.
Lampion trojan (P-19-2.dll) was sent to the VirusTotal by SI-LAB, and 12 from 71 engines classified it as malware. This is a clear signal that most of the antivirus engines don’t detect yet the malware signature.
Details from the computer’s disk, opened windows, clipboard and banking credentials are gathered and sent to the C2 available on the Internet. The malware only runs if the DLL (inside the 0.zip file) is available on the same directory where it is executed.
Users who receive emails this nature should be aware as these files have a low detection rate and will extract sensitive details including banking credentials from victims’ computers. For Portuguese citizens, special attention on this holiday season as this is an ongoing target campaign.
For more details and complete analysis of this malicious campaign see the Technical Analysis below.
Several emails were received by Portuguese users about a new campaign related to the Rendimento de Pessoas Singulares – IRS (annual tax declaration) during the last days of 2019. Two examples can be seen in Figure 1 below.
Figure 1: Two template emails used to spread the trojan Lampion.
At the first glance, just the URLs and their description are different between both templates. The URLs are responsible to download a zip file that contains three files described below.
Figure 2: URL (1) hosting the malware on the Internet (a zip file).
Figure 3: URL (2) hosting the malware on the internet (a zip file).
As observed, the malware icon is a “lampion”, and the original name is a “Lampion”. It seems a reference to a Japanese lampion.
Figure 4: Malware’s original name and details.
Threat name: FacturaNovembro-4492154-2019-10_8.zip
This is the zip file that contains the malware’s first stage downloaded from compromised servers online. It is a zip file, with a low detection rate, and it contains inside 3 other files.
Figure 5: Available files after extracting the zip file.
The files are as follows:
Only the  file (FacturaNovembro-4492154-2019-10_8.vbs) has malicious code capable of infecting victims’ computers.
In contrast, files  and  are harmless and are only used as a way of inducing the victims to open the VBS document – the Lampion 1st stage.
Figure 6: Snippet from the Politica de Protecao de Dados – ST-8 file, never used during the malware infection chain.
On the other hand, the PDF file  is just a PDF file with some information contained inside, and without malicious links or activity to collect details on the victim’s computer.
Figure 7: Object content from FacturaNovembro-4492154-2019-10_8.pdf.
Figure 8: Content available on PDF file FacturaNovembro-4492154-2019-10_8.pdf.
Figure 9: Translation from the Portuguese language to English.
The file states that the file to be executed is here, in the same directory of the PDF file . That message is completely confidential, has a unique code, and the date of issuance is highlighted to create a bad feeling on the victim’s side.
Threat name: FacturaNovembro-4492154-2019-10_8.vbs (Lampion – 1st stage)
This file has a detection rate of 25/58 and is classified as a Trojan Agent. It is, in fact, a trojan downloader/dropper as it downloads the next stage from the Internet and also drops a new VBS file that will be executed whenever the victim’s computer starts. It looks like an improvement form of the Trojan-Banker.Win32.ChePro family.
Figure 10: VirusTotal analysis from FacturaNovembro-4492154-2019-10_8.vbs file.
Looking at the file, it is obfuscated, but in this case, the technique used by criminals was simple: just add commentaries (junk blocks) between the lines of the malicious code to make it confused.
Figure 11: First stage of the Lampion malware – obfuscated code.
After a few rounds of code cleanup (deobfuscation), the final code comes up. Before going into the detail, the high-level diagram with the overall behavior of the file is presented.
Figure 12: Lampion 1st stage high-level diagram.
In detail, the first stage works as described below.
The 1st stage has random functions to generate random names that will be used to rename the next malicious files created on the victim’s machine. Line 27 is where the Wscript object is created that will be used to create a .lnk file on the Windows StartUp folder. All the malware source code is commented on the next images.
Figure 13: Random functions that generate random names – (1/5).
The next figure has the function to decrypt the URLs from which the 2nd stage of malware is downloaded.
Figure 14: Decryption function used to decrypt the URLs where the next stage is available – (2/5).
Next, all the shortcuts (.lnk) files are deleted from the operating system StartUp folder (line 65).
After that, all the VBS files from the operating system StartUp folder are also removed to prevent other files can start with the OS. A randomly named folder is created in the Windows AppData directory that will keep the malicious files.
Figure 15: Some operations are performed, such as create folders on AppData and setting the default process security level with VBScript – (3/5).
Now is time to download the 2nd stage from the Internet. Two files are obtained from 2 AWS S3 buckets.
Figure 16: Trojan 2nd stage is downloaded from two AWS S3 buckets – (4/5).
The URLs are encoded with the following strings:
To get the result of plain-text URLs, SI-LAB is keeping the decryption code available on GitHub. The result is as follows.
Figure 17: Clean URLs as a result of the decrypted function output (available here).
As observed, the output shows us two AWS-hosted addresses that contain two malicious files, namely:
The 0.zip file is a DLL with additional code loaded by PE File P-19-2.dll during its execution. It is the PE file that will be executed each time the infected machine starts. This file is overly large (32 MB in size), with a lot of trash to make it difficult to detect.
Continuing to the last part of the 1st stage, the VBS file, in the last phase a VBS file is created in the AppData folder (C:\Users\user\AppData\Roaming\lkuuxelnxqy.vbs).
Also, a .lnk is created in the Windows StartUp folder (C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lkuuxelnxqy.lnk) which will then execute the next malware stage (P -19-2.dll).
Figure 18: VBS file is executed and the operating system is restarted – (5/5).
Finally, WScript.Shell runs the created VBScript file, the victim’s computer is forced to restart, and the malware itself (P-19-2.dll) runs on the infected machine.
Threat name: P-19-2.dll
From the first submission we noticed that the threat was recent and unique in VirusTotal.
Figure 19: Lampion VirusTotal detection rate (P-19-2.dll).
This file first appears as a DLL, but it is a PE File. As can be seen from Figure 14 – line 86, it is written directly to disk as an executable.
As noted, 12 of 71 AV engines classified the file as malware. The file is extremely large (32 MB), with a lot of junk allowing, thus, to evade antivirus engines as a result.
As explained below, malware is protected by VMProtect 3.x which makes it difficult to analyze even through a manual approach.
VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult to analyze and crack the software. Besides that, VMProtect generates and verifies serial numbers, limits free upgrades and much more.
After some rounds, we found that it is protected with the VMProtect 3.x .
Figure 20: Lampion protected with the VMProtect 3.x.
VMProtect has 3 protection modes: Mutation, Virtualization, and “Ultra” (both methods combined).
Mutation does what it says it does: it mutates the assembly code to make automated analysis of it harder. The resulting mutated code varies drastically per compilation.
On the other hand, Virtualization translates the code into a special format that only a special virtual machine can run. It then inserts a “stub” function to call the VM where the actual code was supposed to be ran.
Another detail is two sections identified in PE File ( vmp0 and vmp1 ), which contains the packed binary code which will later be devirtualized at runtime, and also has the EP (entry point) where the binary will be executed first.
Note: Details about the VMProtector disassemble will not be displayed in this analysis as it is commercial software for packing and protecting executable files.
Figure 21: Malware sections and high entropy of section vmp1.
As shown, there are two sections in binary (vmp0 and vmp1) with high entropy that are known as a result of VMProtector. Also, the EP is outside of the standard location. Now it is on: .vmp1.
In detail, the malware was developed in Delphi. The IDE Embarcaredo was used to support its developing.
Figure 22: Resources from the Lampion trojan malware.
As noted from Figure 22, all the source-code logic is available within a feature called TFORM1, a Delphi form.
Figure 23: Details about Embarcaredo.
However, once the malware is protected with VMProtector, it is not possible to decompile the binary source-code.
By disassembling it, it is possible to get a binary dump by indicating the potential OEP (original entry point). Although part of the binary code remains obfuscated and protected, through this technique, it was possible to get some details about the inner structure of the malware.
Figure 24: Dumping the binary code, building the binary IAT and get internal details on how it works.
The extracted file has its partial IAT messed up and the name of each function does not appear because its respective virtual addressing is necessary to convert it to a raw addressing. This is a result of the VMProtector 3.x.
After the partially unpacked binary, we can see some functions it is using, namely:
Figure 25: Functions used to get details about the victim’s computer.
During the static analysis, we identified some functions such as HideFromDebugger and IsDebuggerPresent, and even the library SBIEDLL.DLL which aims to detect if the program is running in a virtual environment.
At the moment, the file 0.zip has not been used (the second one that was downloaded and presented in Figure 16).
When the Lampion is running, it will try to read the 0.zip file from the same directory where it is executing (AppData, in this case).
Figure 26: 0.zip file not found and a popup message is presented. The malware terminates its execution.
The 0.zip file was not found (the second file downloaded by VBScript). By submitting the executable file to sandboxes on the Internet, it will never be run derived from this dependency. This can be seen as a mechanism for a dynamic analysis not to be performed properly.
By fixing this detail, we can validate that malware actually can read the file.
Figure 27: 0.zip file is now accessed by Lampion and its content is loaded.
The 0.zip file is a compressed file with a DLL inside it with additional code. But the file is protected with a password. Only the 2nd stage (Lampion) has that password inside.
Figure 28: 0.zip file protected by a password hardcoded inside the malware 2nd stage (Lampion trojan).
This can be seen as yet another anti-reversing mechanism introduced by malware authors.
To get details about the library inside the 0.zip file, we analyzed the 2nd stage and identified the right moment the file is unzipped to obtain the password hardcoded from memory (as it is obfuscated).
Figure 29: Password of 0.zip file extracted from memory.
After extracting the files, we can see that its name has Chinese characters. Through the translated message “Your group of Portuguese suckers” we can conclude that this threat is targeting Portuguese citizens.
Figure 30: Message left by criminals indicating that the threat is targeting Portuguese citizens.
Again, this file is also protected with VMProtector 3.x. This can be observed in Figure 30.
Figure 31: 0.zip file sections.
As shown, most of the file content and EP address are located in the vmp01 section. From Figure 31, we can observe the DLL export address table (EAT).
Figure 32: Export Address Table (EAT) from the DLL inside 0.zip.
That DLL contains part of the trojan code. Those functions are imported from this DLL. Some of the available functions are:
In detail, we can examine all the malware operations while we open a browser for accessing a home banking website (the malware is activated during the https operation because the certmgr.exe is launched).
An interesting detail found on “CallFormPrincipal” is the request method and C2 IP address.
It also validates the windows hosts file to check the remote system discovery.
During malware execution, we verify that it collects data from clipboard, disk, browsers, and sends the details via a request to the C2 server available on the Internet.
Figure 33: POST request sent to the C2 available online with details about the victim’s computer.
On server C2, a portal is available that we did not have access to, however, it was possible to collect some interesting details.
An interesting indicator is that this banking trojan does not have a high detection rate, and can easily run and make persistent on victims’ computers.
For example, the URL where the victim data is sent (the POST request) is not identified as malicious by the antivirus agents at the moment of writing this report.
Figure 34: C2 server not detected on VirusTotal.
As shown, the login page this panel can be accessed and a username and password are required.
Figure 35: Login page of C2 panel.
Based on some paths available on the server-side, we can find that this is a portal already known and shared in the past by David Montenegro along its analysis.
Figure 36: Details on the C2 portal (flags that identified the victim’s origin).
As observed, the panel has details about the victim, namely:
Figure 37: Images about the potential C2 portal.
We contacted Amazon Web Services (AWS) to decommission the domains and C2 server before publishing the article, ensuring, thus, that the threat has been contained in a good way and by preserving the victim’s information. Nonetheless, malicious endpoints are still active at the moment of writing this report.
The complete analysis, including IoCs, Yara rules and the Mitre Att&ck matrix is available at the following URL:
About the author Pedro Tavares:
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.