Several devices have been infected when the victims open the zip file downloaded from the URL embedded in the malicious email that lures the Portuguese Government Finance & Tax (ATA), Energias de Portugal (EDP), and more recently the DPD firm – an international parcel delivery service.
Figure 1: Lampion malware email templates.
According to legitimate sources, Portuguese banking teams have detected irregular accesses to banking portals usually carried out through compromised accounts via the Lampion infections. Nonetheless, accesses via the compromised device have been noted as well, which makes tracking the legitimacy of access difficult.
Crooks are using compromised devices to access the banking portal in order to make online bank transfers to accounts they are controlling.
We have tracking Lampion activity from the beginning, and we noticed that since February 12th – 2020, the malware has been presented with a new “visual” but maintaining the same modus operandi.
The malware is now using templates impersonating the DPD firm (see Figure 1 above), and just two files are available inside the .zip file (instead of three). Notice that in the first version of the Lampion, three files were extracted (a file with random strings, an image and the VisualBasic Script File (VBS).
Malicious zip file: DPD-Track&Trace-IDPT-NEgn-02-2020_23
Figure 2: Lampion v2 – first stage files (2020-02-23).
In another sample analyzed on February 13th, the malware was observed with 4 files inside the zip file:
Figure 3: Lampion v2 additional cmd file to rename the first stage (2020-02-13).
On these last samples, we can observe some improvements by the malware operators:
As observed below, the size of the junk lines presented in these samples is major related to the initial file observed in mid-December 2019. The reason behind that is simple: to evade antivirus detection. With this technique in place, the initial zip file has a low detection rate (7/59) on Virus Total (Figure 5).
Figure 4: File with random strings (Politica de privacidade DPD -23).
In detail, the original Lampion sample had about 27 random characters per line against about 46 characters in these new samples.
Another improvement detected during the malware analysis is that it has been delivered with a new obfuscation layer make its detection more difficult.
Figure 6: Lampion v2 obfuscation layer (VBS file).
When the Lampion was spread the first time, all the malware VBS code was readable. With this new trick, antivirus detection will be harder, and its analysis a little bit confused.
Nonetheless, after analyzing the recent samples, we can conclude that the malware modus operandi is the same. We used the decrypter from Lampion v1 available on GitHub to reverse the endpoints of the next stages confirming that it works without any restriction.
The obfuscated endpoints for these new samples are the following:
From here, the infection chain is the same as explained on the Lampion analysis available here.
The files are downloaded from 2 distinct AWS buckets, executed on the targeted machines, and the banking credentials are exfiltrated to the C2 also available on an AWS EC2 instance.
If you are interested in IOCs for the Lampion malware give a look at the original post:
About the author Pedro Tavares:
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.
(SecurityAffairs – hacking, Lampion malware)