|
HB1PMS > TECH 29.02.20 19:42l 85 Lines 3536 Bytes #999 (0) @ WW
BID : 2284HB1PMS
Read: GAST
Subj: Newly Discovered Lampion Trojan Found Targeting Po
Path: DBO595<DBX320<FRB024<NL3TD<NL3PRC<GY1BBS<HB1BBS
Sent: 200229/1606Z 8601@HB1BBS.ZL.NLD.EU BPQ6.0.19
Van: HB1PMS@HB1BBS.ZL.NLD.EU
Newly Discovered Lampion Trojan Found Targeting Portuguese Users
The trojan is distributed via phishing emails that appear to come from the
Portuguese Government Finance & Tax.
The email reports issues related to debt for the year 2018.
Security researchers have uncovered a new trojan named Lampion. The trojan
is distributed via phishing emails and targets Portuguese users.
How does it spread?
As reported by Segurance Informatica-Lab (SI-Lab), the phishing email used
to distribute the trojan appears to come from the Portuguese Government
Finance & Tax.
The email reports issues related to debt for the year 2018.
It asks the recipients to click on a link within the email to avoid being
misled by criminals.
When the unsuspected victim clicks on the link available on the email body,
the malware gets downloaded from the online server.
The downloaded file is a compressed Zip file called ‘FacturaNovembro-
4492154-2019-10_8.zip.’ When it is unpacked by the user, they will see three
files - a PDF, VBS, and a text file.
What is the file about?
The file ‘FacturaNovembro-4492154-2019-10_8.zip’ is the first stage of the
Lampion’s infection chain. This is a VBScript file that acts as a dropper
and downloader.
The dropper downloads the next stage from the compromised server available
on the internet on an AWS S3 bucket.
Once the VBScript file is executed, two files - P-19-2.dll and 0.zip - are
downloaded. The P-19-2.dll file is a PE file that is executed during a
VBScript execution when the affected computer starts. This P-19-2.dll file
is actually the Lampion trojan.
This DLL contains a name in the Chinese language with a targeted message for
Portuguese users.
What is Lampion?
Lampion looks like an improvised form of the Trojan-Banker.Win32.ChePro
family.
It is developed in Delphi.
It includes anti-debug and anti-VM techniques to make it difficult to both
on a sandbox environment or manually.
Some of the features that are part of the captured Lampion samples include
the following actions:
Remote Connection Startup
Network Resources Retrieval
Network Resources Manipulations and Redirect
Folder Path Retrieval
Messages Communications
Communications Parameters Changes
Custom Functions
Dialog Box Spawning
Code Logic Storage
Lampion trojan is involved in capturing data belonging to both the users and
infected systems. The collected information includes system information
pages, installed software, web browser history, clipboard, details of the
file system, etc.
The trojan also allows hackers to access and manipulate the infected
machines via a specially designed web interface.
73 Henk.
======================================================================
_ _ ____ __ ____ ____ _____
| | | | _ \/_ | _ \| _ \ / ____| SYS: Henk (hb1nos@hb1bbs.com)
| |__| | |_) || | |_) | |_) | (___ QTH: Ouwerkerk - JO11XO
| __ | _ < | | _ <| _ < \___ \ BBS: HB1BBS.ZLD.NLD.EU
| | | | |_) || | |_) | |_) |____) | QRV: 27.235 MHz (FM 1200bps)
|_| |_|____/ |_|____/|____/|_____/ WEB: www.hb1bbs.com
======================================================================
** Host of BPQ Netrom/Node NLDHUB::NL9HUB 85.214.163.10 UDP 93
======================================================================
** This message is generated with Sally 7.2.033
----------------------------------------------------------------------
** Timed zaterdag 29 februari 2020 17:02 West-Europa (standaardtijd)
** BBS HB1PMS@HB1BBS.ZL.NLD.EU
Lese vorherige Mail | Lese naechste Mail
| |