DBO595

HB1PMS > TECH     29.02.20 20:42l 85 Lines 3536 Bytes #999 (0) @ WW
BID : 2284HB1PMS
Read: GAST
Subj: Newly Discovered Lampion Trojan Found Targeting Po
Path: DBO595<DBX320<FRB024<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200229/1606Z 8601@HB1BBS.ZL.NLD.EU BPQ6.0.19

Van: HB1PMS@HB1BBS.ZL.NLD.EU

Newly Discovered Lampion Trojan Found Targeting Portuguese Users
The trojan is distributed via phishing emails that appear to come from the 
Portuguese Government Finance & Tax.
The email reports issues related to debt for the year 2018.
Security researchers have uncovered a new trojan named Lampion. The trojan 
is distributed via phishing emails and targets Portuguese users.

How does it spread?

As reported by Segurance Informatica-Lab (SI-Lab), the phishing email used 
to distribute the trojan appears to come from the Portuguese Government 
Finance & Tax.
The email reports issues related to debt for the year 2018.
It asks the recipients to click on a link within the email to avoid being 
misled by criminals.
When the unsuspected victim clicks on the link available on the email body, 
the malware gets downloaded from the online server.
The downloaded file is a compressed Zip file called ‘FacturaNovembro-
4492154-2019-10_8.zip.’ When it is unpacked by the user, they will see three 
files - a PDF, VBS, and a text file.
What is the file about?

The file ‘FacturaNovembro-4492154-2019-10_8.zip’ is the first stage of the 
Lampion’s infection chain. This is a VBScript file that acts as a dropper 
and downloader.
The dropper downloads the next stage from the compromised server available 
on the internet on an AWS S3 bucket.
Once the VBScript file is executed, two files - P-19-2.dll and 0.zip - are 
downloaded. The P-19-2.dll file is a PE file that is executed during a 
VBScript execution when the affected computer starts. This P-19-2.dll file 
is actually the Lampion trojan.
This DLL contains a name in the Chinese language with a targeted message for 
Portuguese users.
What is Lampion?

Lampion looks like an improvised form of the Trojan-Banker.Win32.ChePro 
family.
It is developed in Delphi.
It includes anti-debug and anti-VM techniques to make it difficult to both 
on a sandbox environment or manually.
Some of the features that are part of the captured Lampion samples include 
the following actions:

Remote Connection Startup
Network Resources Retrieval
Network Resources Manipulations and Redirect
Folder Path Retrieval
Messages Communications
Communications Parameters Changes
Custom Functions
Dialog Box Spawning
Code Logic Storage
Lampion trojan is involved in capturing data belonging to both the users and 
infected systems. The collected information includes system information 
pages, installed software, web browser history, clipboard, details of the 
file system, etc.

The trojan also allows hackers to access and manipulate the infected 
machines via a specially designed web interface.

73 Henk.

======================================================================
  _    _ ____  __ ____  ____   _____ 
 | |  | |  _ \/_ |  _ \|  _ \ / ____|  SYS: Henk (hb1nos@hb1bbs.com)
 | |__| | |_) || | |_) | |_) | (___    QTH: Ouwerkerk - JO11XO
 |  __  |  _ < | |  _ <|  _ < \___ \   BBS: HB1BBS.ZLD.NLD.EU
 | |  | | |_) || | |_) | |_) |____) |  QRV: 27.235 MHz (FM 1200bps)
 |_|  |_|____/ |_|____/|____/|_____/   WEB: www.hb1bbs.com

======================================================================

** Host of BPQ Netrom/Node NLDHUB::NL9HUB 85.214.163.10 UDP 93  

======================================================================
** This message is generated with Sally 7.2.033
----------------------------------------------------------------------
** Timed zaterdag 29 februari 2020  17:02 West-Europa (standaardtijd)
** BBS HB1PMS@HB1BBS.ZL.NLD.EU





Lese vorherige Mail | Lese naechste Mail