The infamous Lampion malware is known since December 2019 by targeting Portuguese organizations and equipped now with a new obfuscation layer.

Since end-December 2019 lampion malware has been noted as the most prominent malware targeting Portuguese organizations.

Several devices have been infected when the victims open the zip file downloaded from the URL embedded in the malicious email that lures the Portuguese Government Finance & Tax (ATA), Energias de Portugal (EDP), and more recently the DPD firm – an international parcel delivery service.

Figure 1: Lampion malware email templates.


According to legitimate sources, Portuguese banking teams have detected irregular accesses to banking portals usually carried out through compromised accounts via the Lampion infections. Nonetheless, accesses via the compromised device have been noted as well, which makes tracking the legitimacy of access difficult.

Crooks are using compromised devices to access the banking portal in order to make online bank transfers to accounts they are controlling.

We have tracking Lampion activity from the beginning, and we noticed that since February 12th – 2020, the malware has been presented with a new “visual” but maintaining the same modus operandi.


The malware is now using templates impersonating the DPD firm (see Figure 1 above), and just two files are available inside the .zip file (instead of three). Notice that in the first version of the Lampion, three files were extracted (a file with random strings, an image and the VisualBasic Script File (VBS).

Malicious zip file:  DPD-Track& 

Figure 2: Lampion v2 – first stage files (2020-02-23).


In another sample analyzed on February 13th, the malware was observed with 4 files inside the zip file:

  • An image to lure the victim to open the file (4187880411812.jpg);
  • A file with random strings (Politica de privacidade-33);
  • A VBS file without extension (4187880411812);
  • An additional cmd file (Fatura-Referencia-Janeiro-2020_33.cmd) to rename the first stage (previously file).


Figure 3: Lampion v2 additional cmd file to rename the first stage (2020-02-13).


On these last samples, we can observe some improvements by the malware operators:

  • More junk was added to the file with random strings; and
  • The first stage (VBS file) now is using obfuscation (but maintaining the same algorithm).


As observed below, the size of the junk lines presented in these samples is major related to the initial file observed in mid-December 2019. The reason behind that is simple: to evade antivirus detection. With this technique in place, the initial zip file has a low detection rate (7/59) on Virus Total (Figure 5).

Figure 4: File with random strings (Politica de privacidade DPD -23).


Figure 5: Lampion v2 detection rate on VirusTotal.


In detail, the original Lampion sample had about 27 random characters per line against about 46 characters in these new samples.


VBS file (1st stage) obfuscated

Another improvement detected during the malware analysis is that it has been delivered with a new obfuscation layer make its detection more difficult.

Figure 6: Lampion v2 obfuscation layer (VBS file).


When the Lampion was spread the first time, all the malware VBS code was readable. With this new trick, antivirus detection will be harder, and its analysis a little bit confused.

Nonetheless, after analyzing the recent samples, we can conclude that the malware modus operandi is the same. We used the decrypter from Lampion v1 available on GitHub to reverse the endpoints of the next stages confirming that it works without any restriction.

' Decrypter
' SI-LAB -
' Sample: 3350e74a4cfa020f9b256194eae25c12
' @sirpedrotavares

Module VBModule
    Sub Main()
       Dim Ciphertext
       Dim i 
       Dim oldAsc
       Ciphertext = "&aQ^>jhjqfFi`0o%B%~\tkLYya'jL^\[{m[e1hYb~Z!$miU)e$5k3i]#*[OWHi(jc#-(F$bWHcVW\pWe;deW3m$i_$TY%emc^%s&M$Tp^_OfxK" 
       Dim Decrypt 
       Const offset = 10
       Const minAsc = 33
       Const maxAsc = 126

    Dim Plaintext
    Ciphertext = Mid(Ciphertext,3,Len(Ciphertext)-4)

    For i=2 To Len(Ciphertext) Step 2
        oldAsc = Asc(Mid(Ciphertext,i,1)) + offset
        If oldAsc > maxAsc Then
            oldAsc = oldAsc - maxAsc + minAsc - 1
        End If

        Plaintext = Plaintext & Chr(oldAsc)

    Decrypt = Plaintext
    End Sub
End Module


The obfuscated endpoints for these new samples are the following:

zAPQrqmcWlWqGZt = JZtrWmxeCilszIc("+%j^JjWj`f%iF0^%y%+e|_zk;h^nr't*gn\$'i0)X$?kRiH#3[`W8i4j2#p(R$5Wpc(WMpbeedgWhm0iV$cY_eDcI%qF=#R'(*z#1-_$[ZdbxbKG")

IGQtxyonEPfUaJZ = JZtrWmxeCilszIc("^:Y^WjEjZf5i}0[%t%dlfhpWxk^#znC$/ir)y$gk2iP#'[PWjiEjb#'(y$TWPc!W?p+e|dIWqm?i.$gY_evc_%X&0$\p%_~fP/")


Obfuscated code


From here, the infection chain is the same as explained on the Lampion analysis available here.

The files are downloaded from 2 distinct AWS buckets, executed on the targeted machines, and the banking credentials are exfiltrated to the C2 also available on an AWS EC2 instance.

Follow this link for more details about Lampion malware and tracking the updated list of IOCs as well.