# The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years

**[seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years](https://seguranca-informatica.pt/the-hidden-c2-lampion-trojan-release-212-is-on-the-rise-and-using-a-c2-server-for-two-years)**

February 26, 2022

**The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two**
**years.**
Lampion trojan is one of the most active banking trojans impacting Portuguese Internet end
users since 2019. This piece of malware is known for the usage of the Portuguese
Government Finance & Tax (Autoridade Tributária e Aduaneira) email templates to lure
victims to install the malicious loader (a VBS file). However, fake templates of banking
organizations in Portugal have been used by criminals to disseminate the threat in the wild,
as observed in Figure 1 below with a malicious PDF (151724540334 Pedidos.pdf).

**_Figure 1: Emails templates are delivering malicious PDFs impersonating banking_**
_organizations in Portugal to spread Lampion trojan._

[The malware TTP and their capabilities remain the same observed in 2019, but the trojan](https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/#.YhpNzejP0Q8)
loader – the VBS files – propagated along with the new campaign has significant differences.
Also, the C2 server is the same noticed on the past campaigns since 2020, suggesting, thus,


-----

that criminals are using the same server geolocated in Russia for two years to orchestrate all
the malicious operations.

## FUD capabilities of the Lampions’ VBS loader

**Filename: Comprovativo de pagamento_2866-XRNM_15-02-2022 06-43-54_28.vbs**

**MD5: 2e295f9e683296d8d6b627a88ea34583**

As expected, the Lampions’ VBS loader has been changed in the last years, and its modus
_[operandi is similar to other Brazilian trojans, such as Maxtrilha,](https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/#.YhpTNOjP0Q8)_ **[URSA,](https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/)** **[Grandoreiro, and so](https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks/#.YhpTU-jP0Q9)**
on. In detail, criminals are enlarging the file size around 56 MB of junk to bypass its detection
in contrast to the samples from 2019 with just 13.20 KB.

**_Figure 2: Lampions’ VBS loader file enlarge technique to bypass its detection._**

The VBS file contains a lot of junk sequences, and after some rounds of code cleaning and
deobfuscation, 31.7 MB of useless lines of code were removed.


-----

**_Figure 3: Lampions’ VBS loader size before and after removing the junk sequences._**

The final file after the cleaning process has around 24.7 MB, and it is responsible for creating
other files, including:

a 2nd VBS file with a random name (2nd_stage_vbs) that will download the Lampions’
final stage – two DLLs from AWS S3 buckets
other VBS file that will execute the previous file by using a scheduled task also created
by the 1st VBS loader.


-----

The next figure presents the structure of the Lampions VBS loader after the cleaning and
deobfuscation process.


-----

**_Figure 4: Lampion’s VBS loader after some rounds of deobfuscation._**

As mentioned, the 1st stage (Comprovativo de pagamento_2866-XRNM_15-02-2022 06**_43-54_28.vbs) creates a new VBS file (2nd_stage_vbs) inside the %AppData%\Local\Temp_**
folder with a random name (sznyetzkkg.vbs). Also, another VBS (jghfszcekwr.vbs) is
created with code responsible for executing the previous VBS file (sznyetzkkg.vbs) via a
scheduled task.

A scheduled task is created with the service description and author Administrator user
associated. This scheduled task will execute the second VBS file jghfszcekwr.vbsthat
contains instructions to finally run the sznyetzkkg.vbs file (the 2nd VBS stage).

**_Figure 5: Creation of the 2nd VBS file and the auxiliary VBS file. Also, the scheduled task_**
_responsible for creating the auxiliary VBS file is shown_


-----

After running the initial VBS file, the two additional VBS files are finally prepared to be
triggered. That task is then performed by the scheduled task as presented in Figure 6. The
source code of the jghfszcekwr.vbs file is quite simple and just executes the 2nd VBS file
(sznyetzkkg.vbs). We believe this is just a procedure to make hard the malware analysis as
well as difficult its detection – something we confirmed during the analysis, as the AVs don’t
detect properly those files during the malware infection chain.

**_Figure 6: Schedule task (1) responsible for executing an auxiliary VBS (2) file which in turn_**
_runs the second VBS stage._

After that, the VBS file dubbed sznyetzkkg.vbs is executed. All the steps highlighted in
Figure 7 are typically known from the last Lampions campaigns. This VBS file is quite similar
to their predecessors, and it performs some tasks:

Deletes all the files from the startup folder with the following extension: lnk, vbs, cmd,
**_exe, bat and js._**
Decrypts the URLs containing the final stage of Lampion trojan.
Creates a .cmd file into the Windows startup folder to maintain persistence.


-----

**_Figure 7: Source-code of the 2nd VBS file and the encrypted URLs that will download the_**
_last stage of the Lampion trojan banker._

From this point, the modus operandi and TTP are the same observed since 2019. The clear
[sign is the same algorithm used in 2019 to decrypt the hardcoded strings with the malicious](https://github.com/sirpedrotavares/SI-LAB-malware/blob/master/decryption-strings-lampion.vbs)
[URLs was used. The script can be downloaded from GitHub here.](https://github.com/sirpedrotavares/SI-LAB-malware/blob/master/decryption-strings-lampion.vbs)


-----

**_Figure 8: Lampion trojan VBS decryptor._**

After running the script, we obtained the malicious URLs that download the next stage of
Lampion trojan. Once again, the AWS S3 buckets were the criminals’ choice, as observed in
the last releases of this malware.
```
encrypted: "O{'^Yj7jRf:i_0<%r%#c=o{f=[Rhbi:e6dUWDb3isjRkt\U\0ik$zit)i$?kYi`#\
[DWcifjR#e(n$$WxcwW2pPe;dqWomFi3$ZYDeZc8%TiTeNflhYW>j][5ivj+[B$*pX_Dfl'"
decrypted: https://mypersonalstuffs.s3.us-east-2.amazonaws.com/soprateste.zip
encrypted: "eg1^xj5jZf}iP0a%r%
<cZo[fU[(h&i8e9dZWmb%ijjOkz\M\+iz$Tiv)E$Qkxiq#M[bW<iDjO#4(A$kWfc2WJp`epdoWgm$i.$;Yqecc
s#F*R-"
decrypted: https://mypersonalstuffs.s3.us-east-2.amazonaws.com/P-17-4

```
The first DLL (the trojan loader) is a point of interest in this analysis. This file was also
enlarged with lots of random BMP images inside – a well-known technique that is being
**used by Latin American gangs in their malware. This is a clear sign of cooperation**
between the several groups.

The P-17-4 DLL is then renamed when downloaded and injected into the memory via the
DLL injection technique. The EAT function “mJ8Lf9v0GZnptOVNB2I” is triggered to start the
DLL loader.


-----

```
C:\Windows\System32\rundll32.dll\ %AppData%\Local\Temp\rand_folder\random_name.dll 
mJ8Lf9v0GZnptOVNB2I

```
**_Figure 9: Lampion DLLs – release 212 (February 2022)._**

The main goal of the DLL loader is just to unzip the 2nd DLL called “soprateste.zip” which is
protected with a hardcoded password. All the process from this point is the same as the last
articles we have published, namely:

## Details of the Lampion release 212

The single task of the first DLL is just to unzip the 2nd one with a hardcoded password. As
usual, the DLL inside soprateste.zip carries a message in Chinese for researchers:

**_Figure 10: Message hardcoded inside the soprateste.zip DLL (the Lampion itself) and part of_**
_the unzip process._


-----

As usual, the trojan maintains intact its EAT since 2019. The call **DoThisBicht is invoked**
from the DLL loader, and the malware starts its malicious activity. Figure 11 below shows the
comparison of the EAT between the different versions from 2019 to 2022, and no differences
were noticed.

**_Figure 11: Export Address Table (EAT) from the DLL inside the soprateste.zip file (the_**
_Lampion trojan itself)._

The target brands are the same observed in the past campaigns, with the focus on Brazilian
and Portuguese banking organizations.


-----

```
0x5106a0c (28): banco montepio
0x5106a38 (16): montepio
0x5106a6c (26): millenniumbcp
0x5106aa8 (18): Santander
0x5106ac8 (14): BPI Net
0x5106ae4 (18): Banco BPI
0x5106b18 (24): Caixadirecta
0x5106b40 (42): Caixadirecta Empresas
0x5106b8c (20): NOVO BANCO
0x5106bc4 (14): EuroBic
0x5106bfa (16): Credito Agricola
0x5106c24 (20): Login Page
0x5106c48 (22): CA Empresas
0x5106c80 (18): Bankinter
0x5106cb4 (20): ActivoBank
0x5107118 (36): itauaplicativo.exe
0x5109568 (14): TravaBB
0x5109586 (32): Banco do Brasil
0x51095b4 (16): Traazure
0x51095d6 (32): Caixa Economica
0x5109604 (20): Travsantos
0x510962a (20): Santander
0x510964c (14): Travsic
0x510966a (14): Sicred
0x5109688 (14): Travite
0x51096c0 (18): Travdesco
0x51096e2 (18): Bradesco
0x5109704 (22): BANRITRAVAR
0x510972a (18): Banrisul
0x510974c (20): TravaBitco
0x5109772 (32): Mercado Bitcoin
0x51097a0 (14): Travcit
0x51097be (18): Citibank
0x51097e0 (18): Travorigs
0x5109802 (30): Banco Original
0x5109830 (18): SICTRAVAR
0x5109852 (14): Sicoob

```
When started, the trojan collects information about the opened processes on the target
machine. If the title of the pages matches the hardcoded strings presented above, then it
starts the malicious overlay process that presents fake messages and windows
impersonating the target bank to lure the victims.


-----

**_Figure 12:_** _[Lampion overlay screens (courtesy of MllenniumBCP – Portugal).](https://ind.millenniumbcp.pt/pt/Particulares/seguranca/Pages/avisos2019/aviso-2309.aspx)_


-----

**_Figure 13: Part of the hardcoded messages present on the Delphi forms that are exhibited_**
_during the trojan execution._


-----

As mentioned, Lampion is using the same C2 server geolocated in Russia at least for two
years. Figure 14 compares the Lampion release 207 – from 2020 – and the new release 212
– February 2022. As presented, the server “5.188.9.28” has been used at least since 2020
by the criminals’ gang in order to orchestrate all the operations.

**_Figure 14: Lampion is using the same C2 server observed in 2020 and gelocated in Russia._**

Interestingly, the C2 server – a Windows machine – has the Microsoft RPC Endpoint Mapper
service exposed, which allows mapping some of the services running on the machine,
associated pipes, hostname, etc.

Through this information, it was possible to obtain the hostname of the remote machine:
**\WIN-344VU98D3RU.**

After a quick search, the hostname seems to have already been associated with other
malicious groups operating different types of malware, such as the bazaar (see the article
[here), and also LockBit 2.0 ransomware (take a look here).](https://www.lemagit.fr/actualites/252510802/Ransomware-comment-la-franchise-LockBit-20-gonfle-artificiellement-ses-chiffres)


-----

**_Figure 15: IoCs related to the hostname used by Lampions C2 server (\WIN-_**
**_344VU98D3RU)._**

Although it is not possible to confirm whether this is a hostname associated with other Cloud
machines and used by legitimate systems, it was possible to identify that there are machines
spread all over the world with the same hostname, and in some situations, only a few
machines available per country.

In total, 81.503 machines were identified, with around 45k in The Netherlands, 25k in Russia,
2.5k Turkey, 2K Ukraine, 1.5k in US, etc.


-----

The complete list of hosts can be found below.


-----

## Final Thoughts

Malware is one of the major cyber weapons to destroy a business, market reputation, and
even infect a wide number of users for the most malicious purposes. The next list presents
some tips on how you can prevent a malware infection. It is not a complete list, it is just a few
steps to protect yourself and your devices.

Keep software updated
Take several minutes to look at the new email and not just a few seconds. Analyze it
carefully
Beware of fake tech support, emails related to bank transactions, invoices, COVID19,
everything you think be strange
Keep Internet activity relevant
Log out at the end of the day
Only access secured and trusted sites; not only websites with a green lock. Criminals
are using free CAs to created valid HTTPS certificates.
Keep your operating system up to date
Make sure you are using an antivírus
Beware of malvertising


-----

## Take-home message Be proactive and start taking malware protection seriously!

 Lampion – Mitre Att&ck Matrix

 Indicators of Compromise (IOCs)
```
https://mypersonalstuffs.s3.us-east-2.amazonaws.com/soprateste.zip
  submited on => https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=6039
https://mypersonalstuffs.s3.us-east-2.amazonaws.com/P-17-4
  submited on => https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=6038
--Strings-DoThisBicht
Payloads and DLLs:
1st VBS: 2e295f9e683296d8d6b627a88ea34583
2nd VBS: e7f6a46dd9d4713a877c6447d8e6a299
auxiliary VBS to be executed via schedule task: 6d931b30ec52e1ae53ac001659b0629e
P-17-4: 88a4a76cfd1eacf76bc08257b5781ad3
soprateste.zip: f0e8d127009ba8af6c4bb89676614792
lampion DLL: 7438fd78083152cd199ba162dffe7939
--C2-5.188.9.28
  submited on => https://feed.seguranca-informatica.pt/0xsi_f33d_id.php?id=6102

```

-----

## Online Sandbox

[https://www.joesandbox.com/analysis/575060/0/html](https://www.joesandbox.com/analysis/575060/0/html)

[Pedro Tavares](https://seguranca-informatica.pt/author/pipocaz/)
**[Pedro Tavares is a professional in the field of information security working as an Ethical](https://www.linkedin.com/in/sirpedrotavares/)**
Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding
member at CSIRT.UBI and Editor-in-Chief of the security computer blog segurancainformatica.pt.

In recent years he has invested in the field of information security, exploring and analyzing a
wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and
security in Active Directory networks. He is also Freelance Writer (Infosec. Resources
[Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that](https://feed.seguranca-informatica.pt/)
compiles phishing and malware campaigns targeting Portuguese citizens.

[Read more here.](https://seguranca-informatica.pt/contacto/)


-----