# New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader

**seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-**
downloader

July 6, 2020

**New release of Lampion trojan spreads in Portugal with some improvements on the**
**VBS downloader.**
A new release of the Lampion trojan banker was launched with fresh improvements in the
way the malware loader – the initial VBS file – is operating. The recent wave has been noted
in Portugal and is impacting clients of several Portuguese and Brazilian banking
organizations and also some cryptocurrency platforms.

Some details were observed during the malware analysis, namely:

Changes in the VBS downloader – DLL injection executes the 1st stage.
Anti-VM techniques were improved (probably native features of VM-Protector packer).
Changes in how it communicates with the C2 server geolocated in Russia.

[Lampion was first documented in December 2019, and it was distributed in Portugal via](https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/#.XwI-myhKguU)
phishing emails using templates based on the Portuguese Government Finance & Tax.

More recently, in May 2020, [a new variant of Lampion was observed. Here, it was distributed](https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months)
using fake webpages, where the victim downloaded an MSI file, which then held the
remaining Lampion infection chain.

Our analysis of the phishing email of this new campaign detected at the end of June – July
2020 showed that the template is very similar to the template distributed on May 8th, 2020. A
fake template from SAPOTRANSFER was used with the message inside the email referring
to any missing payment or invoice.


-----

**_Figure 1: The email template used in July 2020 is similar to the previous one used in May_**
_2020._

These emails are sent towards the end of the month, simulating the payment of a service or
bills – the ideal time to catch the most reckless victims.

**_Figure 2: Files available after decompiling the ZIP file distributed via email._**

Looking at the following images, the PDF file inside the ZIP file is just a decoy to distract the
victim. The text is written in Portuguese, and just the logo at the end of the document was
changed between May and July malware versions.


-----

**_Figure 3: PDF file and content delivered are similar, only the logo at the end of the document_**
_was changed._

[As previously stated [1], [2], the VBS file is one that, when executed, serves as a downloader](https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/#.XwI-myhKguU)
for the infection chain. Once executed, additional files are downloaded from Google Cloud,
which are loaded into memory using a well-known technique called DLL injection.

Once again the code in the VBS file is obfuscated to make it difficult to analyze.


-----

**_Figure 4: VBS file – Lampion downloader – obfuscation layer._**

It is important to note that this new release brings some changes to Lampion’s documented
_modus operandi. The next graph presents the various forms already documented the threat._


-----

**_Figure 5: Different ways of how Lampion has been distributed in-the-wild._**

As noted, malware is usually distributed with a simple email template, where the victim
downloads a ZIP file with a VBS downloader inside. However, in May 2020, criminals used a
fake page to distribute an MSI file, which used the theme COVID-19 that impersonates the
Portuguese government and which after being executed launched the VBS file


-----

The infection chain, in both scenarios, starts through the VBS downloader file. This file is
responsible for downloading two files from online Clouds, such as AWS, Microsoft, SAPO,
and more recently Google, creating, thus, persistence on the machines to execute the threat
every time machine starts.

In detail, an EXE file was downloaded, which when executed, injects into memory the
second DLL inside the 0.zip file and protected by a password. This DLL has the trojan code
protected using the VM-Protector, a commercial packer.

However, in this new release, two DLL files are distributed . VBS file leverages the
Windows rundll32 library to inject the first DLL into memory (P-14-7.dll), and it is then
responsible for loading the second DLL into memory and starting, thus, the infection process.

## Deofuscation and renaming VBS calls

After a few rounds of deobfuscation and renaming calls, we have a clean version of the
source code to analyze in-depth.


-----

**_Figure 6: Deofuscated VBS file – Lampion trojan July 2020._**

Some parts of the code are highlighted in Figure 6 and described below:

1. Function to generate random strings is used to generate arbitrary folders and file

names.
2. Random strings generation.
3. Function used to decrypt strings.
4. Delete *.LNK files from the Windows startup folder.
5. Delete *.VBS files from the Windows startup folder.
6. Create a random folder on %appdata% to host the downloaded files (P-14-7.dll and

0.zip).
7. Get classes for computer hardware and configuration.
8. Google Cloud URLs obfuscated (URL1 and URL2).
9. Download the 2nd stage from Google Cloud (0.zip).
10. Download 1st stage – trojan loader – from Google Cloud (P-14-7.dll).

11. Create .VBS file inside %appfolder% – persistence technique used by criminals.
12. Generate the content of the .VBS file (decryption functions, DLL injector, and anti
VM/sandbox).
13. Create a folder inside the Windows startup folder.
14. Crete .LNK file inside the Windows startup folder.
15. Set up .LNK file to execute DLL injection via rundll32.
16. Sleep and shutdown commands are two techniques for online sandbox evasion.


-----

17. Trojan starts.

In detail, the malware uses a .LNK file to inject the first stage P-14-7.dll into memory. Then,
the call YourGonnaPayMeToday is invoked as shown in Figure 7. This DLL is used as a
loader for the final payload, a DLL inside 0.zip file, and it is injected into memory via DLL
injection. Both files are protected with the commercial packer – VM Protector.
```
--create LKN file- C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\usynknwwbmj.lnk
--------run-dll--------CommandLineArguments:
C:\Users\admin\AppData\Roaming\59684788644313\eakyvqgqeovfzwxau27622472643851.dll
YourGonnaPayMeToday
WorkingDirectory: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\usynknwwbmj
RelativePath: ..\..\..\..\..\..\..\..\..\Windows\system32\rundll32.exe
TargetFileDOSName: rundll32.exe
HotKey: (none) RunWindow:
Normal IconIndex: (none) 
TargetFileSize: 0
FileAttributes: (none) 
Flags: IDList, RelativePath, WorkingDir, CommandArgs, Unicode
Final payload:
rundll32.exe
C:\Users\admin\AppData\Roaming\59684788644313\eakyvqgqeovfzwxau27622472643851.dll
YourGonnaPayMeToday

## VBS file – Decrypted strings
Encrypted:
4Ic^GjEj/fzie0[%2%yifjne$h4Wf]g[m$O]6eDeo]wbg[aWSf5_siR$[YDeKcv%HXJe.cEXT[Zj4WkXnhSWKd
Decrypted: hxxps://storage.googleapis.]com/bombetabrancaevinho/0.]zip
Encrypted: r?F^5jAj.fCiB0*%Z%%i<jTefhMWl]x[.$u]uefe\]wb[[JW.fk_%iF$sY}ePc+%`X&e2c]X]
[bjnW?X*h'WfdeY_WC[.lo_]db^WeT%eF(#g'=*o#o-Q$-Z8b/b-j
Decrypted: hxxps://storage.googleapis.]com/bombetabrancaevinho/P-14-7.]dll
Encrypted: k8NhIk;dUZLb$b/)0(5:
Decrypted: rundll32 
Encrypted: J.9Obeck[h6=nePd{d>WWFQWGoiC|[5Joe,Z<WDo=4
Decrypted: YourGonnaPayMeToday

```
As seen in Figure 5, the initial versions of Lampion were distributed in the form of the EXE.
This file was responsible for unpacking the DLL from the 0.zip file and injecting it into
memory.


-----

In this version, two DLLs are distributed instead of an EXE and single DLL. The first (P-147.dll) is injected via DLL injection by the VBS file at the initial stage. For this, it invokes the
call YourGonnaPayMeToday from EAT.

**_Figure 7: Call invoked to load the DLL in memory (YourGonnaPayMeToday) – 1st stage._**

This first file is called by the VBS script and loaded into memory via the DLL injection
technique using rundll32.exe from Windows, a technique widely used by red teams and
pentesters when used Metasploit framework.
```
rundll32.exe
C:\Users\admin\AppData\Roaming\59684788644313\eakyvqgqeovfzwxau27622472643851.dll
YourGonnaPayMeToday

```
[As other trojan bankers from Latin America – Grandoreiro – criminals are using arbitrary](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/)
BMP images to increase the size of binaries, thus avoiding signature detection and also
making it difficult to analyze via online sandboxes – since some sandboxes have a limit per
size when uploading files.

Also, a new layer anti-VM was added to this new release as shown below.


-----

**_Figure 8: Lampion DLL file oversize and error message when malware detects it is running_**
_inside a VM._

As observed in other Lampion versions, the 0.zip file is protected with a strong password,
which is extracted from the loader P-14-7.dll (1st stage). After extracting the final DLL from
the ZIP file, 2nd_stage.dll, and executing it in memory via DLL injection, it executes the
infection process.

This final DLL is executed in memory by calling the “DoThisBicht” function (see below).


-----

**_Figure 9: Lampion 2nd stage executed in memory via DLL injection._**

[Lampion’s operating mode is the same as those analyzed in previous publications [1], [2],](https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/#.XwI-myhKguU)
nonetheless, the DLL was recently compiled and is accompanied by some changes, as the
addresses of C2 have been changed and also the way it communicates with C2. This time it
is not used to transfer information about the infected machine through an HTTP call with the
destination C2, but TCP sockets are used.

**_Figure 10: Compilation time – Jun 21 16:39 – 2020._**

The target banking organizations are the same as observed in the past samples.


-----

**_Figure 11: Banking organizations found inside the malware are the same as document in the_**
_past._

During the malware execution, it collects keystrokes (keylogger features) and is in a constant
loop identifying the focus windows that the user is visiting.

When a focus operation is identified over the browser window, it matches the title of the
window with the internal hardcoded strings. In this case, “montepio” matches the target
strings hardcoded inside the malware (the name of a Portuguese bank). From here, the
malware starts its communication with the command and control server geolocated in Rusia,
and next presents the specific overlay windows.


-----

**_Figure 12: C2 communication after detecting access to a home banking portal._**

The process of browser-overlay is then initiated and some fake windows controlled by
criminals are shown.


-----

**_[Figure 13: Lampion overlay screens (courtesy of MllenniumBCP – Portugal).](https://ind.millenniumbcp.pt/pt/Particulares/seguranca/Pages/avisos2019/aviso-2309.aspx)_**

The socket communication is performed sending details about the infected computer,
keylogging activity, and so on.

**_Figure 14: C2 traffic observed during the malware execution._**

As observed below, the C2 server is geolocated in Russia. Some ports can be observed via
Shodan. The malware executes a socket communication between victims and C2 on port
9171.


-----

**_Figure 15: Lampion C2 server geolocation – July 2020._**

It should also be mentioned that during the process of sending information, the trojan
executes several ICMP requests to a server located in Germany. This is a mechanism used
by malware to detect if the victim’s computer is connected to the internet.


-----

**_Figure 16: ICMP ping is used to validate Internet connection to establish a communication_**
_with C2._

In addition, it is interesting to note that criminals are using a blacklist of flagged IP
addresses. Whenever the client performs an infection from one of these IP addresses, the
malware terminates the execution after receiving the order from C2 and the infected
computer is restarted.
```
Server Mandou ====> |EXITEWINDOWS|
Cliente Desconectado!

## Final Thoughts

```
Malware is one of the major cyber weapons to destroy a business, market reputation, and
even infect a wide number of users. The next list presents some tips on how you can prevent
a malware infection. It is not a complete list, it just a few steps to protect yourself and your
devices.

Get outdated software of your system
Get email savvy; take several minutes looking at the new email and not a few seconds
Beware of fake tech support, emails related do bank transactions, invoices, COVID19,
everything you think be strange
Keep Internet activity relevant
Log out at the end of the day
Only access secured and trusted sites (not only websites with green lock – please
think you are doing, as many phishing campaigns are abusing of free CA to create
valid HTTPS certificates and to distribute malicious campaigns over it)
Keep your operating system up to date


-----

Make sure you are using an antivírus
Beware of malvertising

## Take-home message
 Be proactive and start taking malware protection seriously!

 Indicators of Compromise (IOCs)
```
hxxps://storage.googleapis.]com/bombetabrancaevinho/P-14-7.]dll
hxxps://storage.googleapis.]com/bombetabrancaevinho/0.]zip
--Strings-YourGonnaPayMeToday
DoThisBicht
Final payload: be703ee8d83c3eb95fd5a343fed3d2947d2b98955be3b6eb8dd4752be1047537
--C2-5.188.9.28

 Online Sandbox

```
[VirusTotal](https://www.virustotal.com/gui/file-analysis/NzM1YTI1MWY5MjFiZTg0YTIwMzljYjJiNTg0NjdlNGU6MTU5MzcyMzAzNw==/detection)

[Joesandbox](https://www.joesandbox.com/analysis/243202/0/html)

[Pedro Tavares](https://seguranca-informatica.pt/author/pipocaz/)
**[Pedro Tavares is a professional in the field of information security working as an Ethical](https://www.linkedin.com/in/sirpedrotavares/)**
Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding
member at CSIRT.UBI and Editor-in-Chief of the security computer blog segurancainformatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a
wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and
security in Active Directory networks. He is also Freelance Writer (Infosec. Resources
[Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that](https://feed.seguranca-informatica.pt/)
compiles phishing and malware campaigns targeting Portuguese citizens.

[Read more here.](https://seguranca-informatica.pt/contacto/)


-----