Pierluigi Paganini February 24, 2020

Since end-December 2019 lampion malware has been noted as the most prominent malware targeting Portuguese organizations.

Several devices have been infected when the victims open the zip file downloaded from the URL embedded in the malicious email that lures the Portuguese Government Finance & Tax (ATA), Energias de Portugal (EDP), and more recently the DPD firm – an international parcel delivery service.

Figure 1: Lampion malware email templates.

According to legitimate sources, Portuguese banking teams have detected irregular accesses to banking portals usually carried out through compromised accounts via the Lampion infections. Nonetheless, accesses via the compromised device have been noted as well, which makes tracking the legitimacy of access difficult.

Crooks are using compromised devices to access the banking portal in order to make online bank transfers to accounts they are controlling.

We have tracking Lampion activity from the beginning, and we noticed that since February 12th – 2020, the malware has been presented with a new “visual” but maintaining the same modus operandi.

The malware is now using templates impersonating the DPD firm (see Figure 1 above), and just two files are available inside the .zip file (instead of three). Notice that in the first version of the Lampion, three files were extracted (a file with random strings, an image and the VisualBasic Script File (VBS).

Malicious zip file:  DPD-Track&Trace-IDPT-NEgn-02-2020_23.zip 

Figure 2: Lampion v2 – first stage files (2020-02-23).

In another sample analyzed on February 13th, the malware was observed with 4 files inside the zip file:

• An image to lure the victim to open the file (4187880411812.jpg);
• A file with random strings (Politica de privacidade-33);
• A VBS file without extension (4187880411812);
• An additional cmd file (Fatura-Referencia-Janeiro-2020_33.cmd) to rename the first stage (previously file).

Figure 3: Lampion v2 additional cmd file to rename the first stage (2020-02-13).

On these last samples, we can observe some improvements by the malware operators:

• More junk was added to the file with random strings; and
• The first stage (VBS file) now is using obfuscation (but maintaining the same algorithm).

As observed below, the size of the junk lines presented in these samples is major related to the initial file observed in mid-December 2019. The reason behind that is simple: to evade antivirus detection. With this technique in place, the initial zip file has a low detection rate (7/59) on Virus Total (Figure 5).

Figure 4: File with random strings (Politica de privacidade DPD -23).

Figure 5: Lampion v2 detection rate on VirusTotal.

In detail, the original Lampion sample had about 27 random characters per line against about 46 characters in these new samples.

VBS file (1st stage) obfuscated

Another improvement detected during the malware analysis is that it has been delivered with a new obfuscation layer make its detection more difficult.

Figure 6: Lampion v2 obfuscation layer (VBS file).

When the Lampion was spread the first time, all the malware VBS code was readable. With this new trick, antivirus detection will be harder, and its analysis a little bit confused.

Nonetheless, after analyzing the recent samples, we can conclude that the malware modus operandi is the same. We used the decrypter from Lampion v1 available on GitHub to reverse the endpoints of the next stages confirming that it works without any restriction.

1. ‘ Decrypter
2. ‘ SI-LAB – www.seguranca-informatica.pt
3. ‘ Sample: 3350e74a4cfa020f9b256194eae25c12
4. ‘ @sirpedrotavares
6. Module VBModule
7. Sub Main()
8. Dim Ciphertext
9. Dim i
10. Dim oldAsc
11. Ciphertext = “&aQ^>jhjqfFi`0o%B%~\tkLYya’jL^\[{m[e1hYb~Z!$miU)e$5k3i]#*[OWHi(jc#-(F$bWHcVW\pWe;deW3m$i_$TY%emc^%s&M$Tp^_OfxK”
12. Dim Decrypt
13. Const offset = 10
14. Const minAsc = 33
15. Const maxAsc = 126
18. Dim Plaintext
19. Ciphertext = Mid(Ciphertext,3,Len(Ciphertext)-4)
21. For i=2 To Len(Ciphertext) Step 2
22. oldAsc = Asc(Mid(Ciphertext,i,1)) + offset
23. If oldAsc > maxAsc Then
24. oldAsc = oldAsc – maxAsc + minAsc – 1
25. End If
27. Plaintext = Plaintext & Chr(oldAsc)
28. Next
30. Decrypt = Plaintext
32. Console.WriteLine(Decrypt)
33. End Sub
34. End Module

The obfuscated endpoints for these new samples are the following:

1. zAPQrqmcWlWqGZt = JZtrWmxeCilszIc(“+%j^JjWj`f%iF0^%y%+e|_zk;h^nr’t*gn\$’i0)X$?kRiH#3[`W8i4j2#p(R$5Wpc(WMpbeedgWhm0iV$cY_eDcI%qF=#R'(*z#1-_$[ZdbxbKG”)
2. hxxps:]//oiurx14x.s3.us-east-2.amazonaws.com/P-14-7[.dll
4. IGQtxyonEPfUaJZ = JZtrWmxeCilszIc(“^:Y^WjEjZf5i}0[%t%dlfhpWxk^#znC$/ir)y$gk2iP#'[PWjiEjb#'(y$TWPc!W?p+e|dIWqm?i.$gY_evc_%X&0$\p%_~fP/”)
5. hxxps:]//vrau-x.s3.us-east-2.amazonaws.com/0[.zip

Obfuscated code

From here, the infection chain is the same as explained on the Lampion analysis available here.

The files are downloaded from 2 distinct AWS buckets, executed on the targeted machines, and the banking credentials are exfiltrated to the C2 also available on an AWS EC2 instance.

If you are interested in IOCs for the Lampion malware give a look at the original post:

About the author Pedro Tavares:

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and also a Security Evangelist. He is also a founding member and Pentester at CSIRT.UBI and founder of the security computer blog seguranca–informatica.pt.

Pierluigi Paganini

(SecurityAffairs – hacking, Lampion malware)

[adrotate banner=”5″]

[adrotate banner=”13″]