New trojan called ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax during the last days of 2019.

Last days of 2019 were the perfect time to spread phishing campaigns using email templates based on the Portuguese Government Finance & Tax. SI-LAB noted that Portuguese users were targeted with malscam messages that reported issues related to a debt of the year 2018.

In detail, the emails are related to the Rendimento de Pessoas Singulares – IRS (annual tax declaration), and any citizen who has received the message can be misled by criminals – as the end of the year is the right time to discuss issues within this context.

The malware was named ‘Lampion’ as this is the name used as part of its internal name. Regarding a broad analysis, it looks like the Trojan-Banker.Win32.ChePro family, but with improvements that make hard its detection and analysis.

In brief, when the victim clicks on the links available in the email body the malware is downloaded from the online server. The downloaded file is a compressed file (.zip) called: FacturaNovembro-4492154-2019-10_8.zip.

As observed, after extracting the file, three files are presented.

The file “FacturaNovembro-4492154-2019-10_8.vbs” is the first stage of the Lampion’s infection chain. This is a Visual Basic Script (VBScript) file that is acting as a dropper and downloader. It downloads the next stage from the compromised server available on the Internet on an AWS S3 bucket.

 

The trojan Lampion uses anti-debug and anti-vm techniques. The use of a commercial protector known as VMProtector 3.x and also specially crafted codes make it difficult to analyze both on a sandbox environment or manually.

After the VBScript file is executed, two files are downloaded: P-19-2.dll and 0.zip. The P-19-2.dll file (Lampion) is a PE File that is executed during a VBScript execution when the affected computer starts. That file invokes the second file, 0.zip, that is a DLL file with additional code on C2 and how the trojan gets details from the user’s computers. This DLL contains a name in the Chinese language with the following target message for Portugal: “Your group of Portuguese suckers”.

Lampion trojan (P-19-2.dll) was sent to the VirusTotal by SI-LAB, and 12 from 71 engines classified it as malware. This is a clear signal that most of the antivirus engines don’t detect yet the malware signature.

 

Details from the computer’s disk, opened windows, clipboard and banking credentials are gathered and sent to the C2 available on the Internet. The malware only runs if the DLL (inside the 0.zip file) is available on the same directory where it is executed.

Users who receive emails this nature should be aware as these files have a low detection rate and will extract sensitive details including banking credentials from victims’ computers. For Portuguese citizens, special attention on this holiday season as this is an ongoing target campaign.

For more details and complete analysis of this malicious campaign see the Technical Analysis below.

 


Technical Analysis

Several emails were received by Portuguese users about a new campaign related to the Rendimento de Pessoas Singulares – IRS (annual tax declaration) during the last days of 2019. Two examples can be seen in Figure 1 below.

 

Figure 1: Two template emails used to spread the trojan Lampion. 

 

At the first glance, just the URLs and their description are different between both templates. The URLs are responsible to download a zip file that contains three files described below.

Figure 2: URL  (1) hosting the malware on the Internet (a zip file).

 

Figure 3: URL (2)  hosting the malware on the internet (a zip file).

 

Why Lampion?

As observed, the malware icon is a “lampion”, and the original name is “Lampion”. It seems a reference to a Japanese lampion.

Figure 4: Malware’s original name and details.

 


Lampion trojan malware – The 1st stage


Threat name: FacturaNovembro-4492154-2019-10_8.zip
MD5: e7bdce5505ee263530dea04c2fdc661f
SHA1: d4927477b71cbf540a894cf2c5849209b64c92af


This is the zip file that contains the malware’s first stage downloaded from compromised servers online. It is a zip file, with a low detection rate, and it contains inside 3 other files.

Figure 5: Available files after extracting the zip file.

 

The files are as follows:

  • [1] – FacturaNovembro-4492154-2019-10_8.pdf (51fbca86a499c55ce31179fc36e0d889)
  • [2] – FacturaNovembro-4492154-2019-10_8.vbs (3350e74a4cfa020f9b256194eae25c12)
  • [3] – Politica de Protecao de Dados – ST-8 (deb80a47496857e24c0bc57873b25707)

 

Only the  [2]  file (FacturaNovembro-4492154-2019-10_8.vbs) has malicious code capable of infecting victims’ computers.

In contrast, files [1] and [3] are harmless and are only used as a way of inducing the victims to open the VBS document – the Lampion 1st stage.

Figure 6: Snippet from the Politica de Protecao de Dados – ST-8 file, never used during the malware infection chain.

 

On the other hand, the PDF file [1] is just a PDF file with some information contained inside, and without malicious links or activity to collect details on the victim’s computer.

Figure 7: Object content from FacturaNovembro-4492154-2019-10_8.pdf.

Figure 8: Content available on PDF file FacturaNovembro-4492154-2019-10_8.pdf.

Figure 9: Translation from the Portuguese language to English.

 

The file states that the  file to be executed is here, in the same directory of the PDF file . That message is completely confidential, has a unique code, and the date of issuance is highlighted to create a bad feeling on the victim’s side.

 


Threat name: FacturaNovembro-4492154-2019-10_8.vbs (Lampion – 1st stage)
MD5: 3350e74a4cfa020f9b256194eae25c12
SHA1: 7f5960ff9feff30d2f4a4c1598dd22632ceea0cb


This file has a  detection rate of 25/58  and is classified as a Trojan Agent. It is, in fact, a trojan downloader/dropper as it downloads the next stage from the Internet and also drops a new VBS file that will be executed whenever the victim’s computer starts. It looks like an improvement form of the Trojan-Banker.Win32.ChePro family.

Figure 10: VirusTotal analysis from FacturaNovembro-4492154-2019-10_8.vbs file.

 

Looking at the file, it is obfuscated, but in this case, the technique used by criminals was simple: just add commentaries (junk blocks) between the lines of the malicious code to make it confused.

Figure 11: First stage of the Lampion malware – obfuscated code. 

 

After a few rounds of code cleanup (deobfuscation), the final code comes up. Before going into the detail, the high-level diagram with the overall behavior of the file is presented.

 

Figure 12: Lampion 1st stage high-level diagram.

 

In detail, the first stage works as described below.

  • It depends on the initial victim’s action.
  • The VBS file downloads additional files from the Internet (the 2nd stage – the Lampion itself).
  • 2 files are downloaded to the AppData Windows folder, and a new VBS file is also created with the code that will execute the trojan every time the victim’s computer starts.
  • A .lnk file is created on the Windows StartUp folder to execute the trojan (a persistence technique).
  • Finally, the victim’s computer is forced to reboot and the trojan malware starts its execution.

 

Digging into the details – Lampion 1st stage

The 1st stage has random functions to generate random names that will be used to rename the next malicious files created on the victim’s machine. Line 27 is where the Wscript object is created that will be used to create a .lnk file on the Windows StartUp folder. All the malware source code is commented on the next images.

Figure 13: Random functions that generate random names – (1/5).

 

The next figure has the function to decrypt the URLs from which the 2nd stage of malware is downloaded.

Figure 14: Decryption function used to decrypt the URLs where the next stage is available – (2/5).

 

Next, all the shortcuts (.lnk) files are deleted from the operating system StartUp folder (line 65).

After that, all the VBS files from the operating system StartUp folder are also removed to prevent other files can start with the OS. A randomly named folder is created in the Windows AppData directory that will keep the malicious files.

Figure 15:  Some operations are performed, such as create folders on AppData and setting the default process security level with VBScript – (3/5).

 

Now is time to download the 2nd stage from the Internet. Two files are obtained from 2 AWS S3 buckets.

Figure 16: Trojan 2nd stage is downloaded from two AWS S3 buckets – (4/5).

 

The URLs are encoded with the following strings:

logs = Decrypt("&aQ^>jhjqfFi`0o%B%~\tkLYya'jL^\[{m[e1hYb~Z!$miU)e$5k3i]#*[OWHi(jc#-(F$bWHcVW\pWe;deW3m$i_$TY%emc^%s&M$Tp^_OfxK")

ur = Decrypt("{PL^7j\j9f)is0D%9%aiXZ~]E^\i#k*_+ZW^(eU_-ZNe^]5^;i}ZaYm'Y/wYH$6im)6$tksiw#|[dWNi)ja#*(~$oWzc+Wip@e6d2W&m.ix$uYde&ch%{F,#8'9/T#F(]$`ZdbrbY#")

 

To get the result of plain-text URLs, SI-LAB is keeping the decryption code available on GitHub. The result is as follows.

Figure 17: Clean URLs as a result of the decrypted function output (available here).

 

As observed, the output shows us two AWS-hosted addresses that contain two malicious files, namely:

hxxps[:]//fucktheworld.s3.us-east-2.amazonaws[.]com/0.zip
hxxps[:]//sdghsuidhoidoghsdc19c.s3.us-east-2.amazonaws[.]com/P-19-2.dll

 

The 0.zip file is a DLL with additional code loaded by PE File P-19-2.dll during its execution. It is the PE file that will be executed each time the infected machine starts. This file is overly large (32 MB in size), with a lot of trash to make it difficult to detect.

Continuing to the last part of the 1st stage, the VBS file, in the last phase a VBS file is created in the AppData folder (C:\Users\user\AppData\Roaming\lkuuxelnxqy.vbs).

Also, a .lnk is created in the Windows StartUp folder (C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lkuuxelnxqy.lnk) which will then execute the next malware stage (P -19-2.dll).

Figure 18: VBS file is executed and the operating system is restarted – (5/5).

 

Finally, WScript.Shell runs the created VBScript file, the victim’s computer is forced to restart, and the malware itself (P-19-2.dll) runs on the infected machine.

 

Lampion Trojan – 2nd Stage (after the persistence)


Threat name: P-19-2.dll
MD5: 18977c78983d5e3f59531bd6654ad20f
SHA1: 941d03715af25f7bfedaaf86081ebc2046b4b019


From the first submission we noticed that the threat was recent and unique in VirusTotal.

Figure 19: Lampion VirusTotal detection rate (P-19-2.dll).

 

This file first appears as a DLL, but it is a PE File. As can be seen from Figure 15 – line 86, it is written directly to disk as an executable.

As noted, 12 of 71 AV engines classified the file as malware. The file is extremely large (32 MB), with a lot of junk allowing, thus, to evade antivirus engines as a result.

 

The malware’s protection

As explained below, malware is protected by VMProtect 3.x which makes it difficult to analyze even through a manual approach.

VMProtect protects code by executing it on a virtual machine with non-standard architecture that makes it extremely difficult  to analyze and crack the software. Besides that, VMProtect generates  and verifies serial numbers, limits free upgrades and much more.

 

After some rounds, we found that it is protected with the VMProtect 3.x .

Figure 20: Lampion protected with the VMProtect 3.x.

 

VMProtect has 3 protection modes: MutationVirtualization, and “Ultra” (both methods combined).

Mutation does what it says it does: it mutates the assembly code to make automated analysis of it harder. The resulting mutated code varies drastically per compilation.

On the other hand, Virtualization translates the code into a special format that only a special virtual machine can run. It then inserts a “stub” function to call the VM where the actual code was supposed to be ran.

 

Another detail is two sections identified in PE File ( vmp0  and  vmp1 ), which contains the packed binary code which will later be devirtualized at runtime, and also has the EP (entry point) where the binary will be executed first.

Note: Details about the VMProtector disassemble will not be displayed in this analysis as it is commercial software for packing and protecting executable files.

Figure 21: Malware sections and high entropy of section vmp1. 

 

As shown, there are two sections in binary (vmp0 and vmp1) with high entropy that are known as a result of VMProtector. Also, the EP is outside of the standard location. Now it is on: .vmp1.

In detail, the malware was developed in Delphi. The IDE Embarcaredo was used to support its developing.

Figure 22: Resources from the Lampion trojan malware.

 

As noted from Figure 22, all the source-code logic is available within a feature called TFORM1, a Delphi form.

Figure 23: Details about Embarcaredo.

 

However, once the malware is protected with VMProtector, it is not possible to decompile the binary source-code.

 

Disassembling – Deep inside

By disassembling it, it is possible to get a binary dump by indicating the potential OEP (original entry point). Although part of the binary code remains obfuscated and protected, through this technique, it was possible to get some details about the inner structure of the malware.

Figure 24: Dumping the binary code, building the binary IAT and get internal details on how it works.

 

The extracted file has its partial IAT messed up and the name of each function does not appear because its respective virtual addressing is necessary to convert it to a raw addressing. This is a result of the VMProtector 3.x.

After the partially unpacked binary, we can see some functions it is using, namely:

  • ShowWindow: Sets the specified window’s show state.
  • GetWindowTextW: Copies the text of the specified window’s title bar.
  • IsDialogMessageW: Determines whether a message is intended for the specified dialog box.
  • GetDesktopWindow: Retrieves a handle to the desktop window.
  • GetCursorPos: Retrieves the position of the mouse cursor, in screen coordinates.
  • GetMenuState: Retrieves the menu flags associated with the specified menu item.
  • GetKeyboardLayoutNameW: Retrieves the name of the active input locale identifier.
  • OpenClipboard: Opens the clipboard for examination.
  • EnumDisplayMonitors: It enumerates display monitors.

 

Figure 25: Functions used to get details about the victim’s computer.

 

During the static analysis, we identified some functions such as HideFromDebugger and IsDebuggerPresent, and even the library SBIEDLL.DLL which aims to detect if the program is running in a virtual environment.

 

Lampion – Dynamic Analysis

At the moment, the file 0.zip has not been used (the second one that was downloaded and presented in Figure 16).

When the Lampion is running, it will try to read the 0.zip file from the same directory where it is executing (AppData, in this case).

Figure 26: 0.zip file not found and a popup message is presented. The malware terminates its execution.

 

The 0.zip file was not found (the second file downloaded by VBScript). By submitting the executable file to sandboxes on the Internet, it will never be run derived from this dependency. This can be seen as a mechanism for a dynamic analysis not to be performed properly.

By fixing this detail, we can validate that malware actually can read the file.

Figure 27: 0.zip file is now accessed by Lampion and its content is loaded.

 

The 0.zip file is a compressed file with a DLL inside it with additional code. But the file is protected with a password. Only the 2nd stage (Lampion) has that password inside.

Figure 28: 0.zip file protected by a password hardcoded inside the malware 2nd stage (Lampion trojan).

 

This can be seen as yet another anti-reversing mechanism introduced by malware authors.

To get details about the library inside the 0.zip file, we analyzed the 2nd stage and identified the right moment the file is unzipped to obtain the password hardcoded from memory (as it is obfuscated).

Figure 29: Password of 0.zip file extracted from memory.

 

After extracting the files, we can see that its name has Chinese characters. Through the translated message “Your group of Portuguese suckers” we can conclude that this threat is targeting Portuguese citizens.

Figure 30: Message left by criminals indicating that the threat is targeting Portuguese citizens.

 

Again, this file is also protected with VMProtector 3.x. This can be observed in Figure 31.

Figure 31: 0.zip file sections.

 

As shown, most of the file content and EP address are located in the vmp01 section. From Figure 32, we can observe the DLL export address table (EAT).

Figure 32: Export Address Table (EAT) from the DLL inside 0.zip.

 

That DLL contains part of the trojan code. Those functions are imported from this DLL. Some of the available functions are:

  • WNetUseConnectionW: It makes a connection to a network resource.
  • WNetGetConnectionW: This function retrieves the name of the network resource associated with a local device.
  • WNetAddConnection2W: This function makes a connection to a network resource and can redirect a local device to the network resource.
  • SHGetFolderPathW: Gets the path of a folder identified by a CSIDL value.
  • FilterSendMessage: This function sends a message to a kernel-mode minifilter.
  • FilterConnectCommunicationPort: It opens a new connection to a communication server port
  • DoThisBicht: Function invoked when the DLL file is loaded.
  • CryptUIDIgCertMgr: It is a function that displays a dialog box that allows users to manage certificates.
  • CallFormPrincipal: It has the source-code logic about keylogger and C2.

 

In detail, we can examine all the malware operations while we open a browser for accessing a home banking website (the malware is activated during the https operation because the certmgr.exe is launched).

An interesting detail found on “CallFormPrincipal” is the request method and C2 IP address.

$_POST=&plug=NAO&sowin=Windows%207%20Home%20Premium%20-%206.1%20-%207601
hxxp://18.219.52.4/PT/VaiPostaProPai.php

 

It also validates the windows hosts file to check the remote system discovery.

C:\Windows\System32\drivers\etc\hosts

 

During malware execution, we verify that it collects data from clipboard, disk, browsers, and sends the details via a request to the C2 server available on the Internet.

Figure 33: POST request sent to the C2 available online with details about the victim’s computer.

 


Lampion – C2 portal

On server C2, a portal is available that we did not have access to, however, it was possible to collect some interesting details.

An interesting indicator is that this banking trojan does not have a high detection rate, and can easily run and make persistent on victims’ computers.

For example, the URL where the victim data is sent (the POST request) is not identified as malicious by the antivirus agents at the moment of writing this report.

Figure 34: C2 server not detected on VirusTotal.

 

As shown, the login page this panel can be accessed and a username and password are required.

Figure 35: Login page of C2 panel.

 

Based on some paths available on the server-side, we can find that this is a portal already known and shared in the past by David Montenegro along his analysis.

Figure 36: Details on the C2 portal (flags that identified the victim’s origin).

 

 

As observed, the panel has details about the victim, namely:

  • Country;
  • Date and hour of access;
  • Operating System;
  • Computer Name;
  • Installed antivirus engine;
  • Version; and
  • Plugin.

 

Figure 37: Images about the potential C2 portal.

 

Figure 38: Lampion overlay screens (courtesy of MillenniumBCP -Portugal).

 

We contacted Amazon Web Services (AWS) to decommission the domains and C2 server before publishing the article, ensuring, thus, that the threat has been contained in a good way and by preserving the victim’s information. Nonetheless, malicious endpoints are still active at the moment of writing this report.

 

Lampion – Mitre Att&ck Matrix

 

 

Indicators of Compromise (IOCs)

URLs
rebrand[.]ly/mmvk36?=NOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJBNOWAUVJB
hxxp[:]//100.26.189.49/PY/App.php?=5wzpz2e7xglkzmh
hxxps[:]//fucktheworld.s3.us-east-2.amazonaws.com/0.zip
hxxps[:]//sdghsuidhoidoghsdc19c.s3.us-east-2.amazonaws.com/P-19-2.dll
hxxp[:]//18.219.52.4/PT/VaiPostaProPai.php

Hashes
e7bdce5505ee263530dea04c2fdc661f (FacturaNovembro-4492154-2019-10_8.zip)
deb80a47496857e24c0bc57873b25707 (Politica de Protecao de Dados - ST-8)
51fbca86a499c55ce31179fc36e0d889 (FacturaNovembro-4492154-2019-10_8.pdf)
3350e74a4cfa020f9b256194eae25c12 (FacturaNovembro-4492154-2019-10_8.vbs)
18977c78983d5e3f59531bd6654ad20f (P-19-2.dll | P-19.2.exe - Lampion)
76eed98b40db9ad3dc1b10c80e957ba1 (你的一群葡萄牙人的吸盤)

C2
hxxp[:]//18.219.52.4/PT/VaiPostaProPai.php
hxxp[:]//18.219.52.4/PT/index.php
hxxp[:]//18.219.52.4/PT/admin.php
hxxp[:]//18.219.52.4/PT/png/pt.png
hxxp[:]//18.219.52.4/PT/SO/
18[.]219.52.4/PT/painelADM.php
18[.]219.52.4/PT/painel.php

$_POST=&plug=NAO&sowin=Windows%207%20Home%20Premium%20-%206.1%20-%207601


-----/-----------/-----------/---------
New Wave/samples 01-12-2020
----/------------/------------/--------
C2 
hxxp://18.217.136[.]142
/PTG/PostaEstaPorra.php?plug=NAO&GBS=&SYS=Microsoft%20Windows%207%20Professional%20&USERPC=admin%20-%20USER-PC&AVS=&NAV=IE&ORI=CA.1.0
hxxps://guridosinferno.s3.us-east-2[.]amazonaws.com
hxxps://sdufyuidgfysviuvsdiufsdg04g.s3.us-east-2.amazonaws[.]com

Hashes
65283458b84abbb4859e69367cf2b6db
6a55add166979082c4a5771ce7088c7d


-----/--------/--------/--------------
New wave 01-14-2020
------/---------/-------/-------------
From:
portaldasfinancas1u@gov[.]pt

Malicious VBS file:
FacturaDezembro-102587-2019-10_2.vbs

URLs:
hXXps://nothingcanstopus.s3.us-east-2[.]amazonaws[.]com/0.zip
hXXps://sdgsdbfabsfuhoiuhfosdpnfsdbc13c.s3.us-east-2[.]amazonaws[.]com/P-13-8.dll
nothingcanstopus.s3.us-east-2[.]amazonaws[.]com / 52.219.100[.]96
sdgsdbfabsfuhoiuhfosdpnfsdbc13c.s3.us-east-2[.]amazonaws[.]com / 52.219.88[.]72


C2:
hxxp[:]//18.217.}136[.142/PTI/index.php
POST /PTI/PostaEstaPorra.php


Hashes:
7d2def754f33b7ff84b69b50f0b2b37a (0.zip)
217f2109bfbbe7cb3bfb0cc2824d9fac (P-13-8.dll)
d7a54b62097678df7ad6a0d2871dc342 (FacturaDezembro-102587-2019-10_2.vbs)

https://urlhaus.abuse.ch/url/288135/
https://urlhaus.abuse.ch/url/288134/

https://pastebin.com/5b0p5Vda


---/---------------/---------------/--
New wave 01-16-2020
/---------------/------------/--------
SHA1: 7c4373ef103fc4f26fb3ef0e67337b2bad28c6a00122eb16560d552bf3666029
Factura-Janeiro-2145892315-2019-10_28.vbs

URLs:
hxxps://fghdsfuoiyiuwjkbsdfguuiosdgc19c.s3.us-east-2.amazonaws[.com/P-19-2.dll
hxxps://nothingcanstopus.s3.us-east-2.amazonaws.]com/0.zip.dll 

C2: hxxp[:]//18.217.}136[.142/PTG/index.php
POST /PTI/PostaEstaPorra.php


-----/-----------/------------/----------
New wave 12-02-2020
---------/-------------/-----------/-----
MD5: 0998f6473004e0ba54ead5784ba62db8
VT: https://www.virustotal.com/gui/file/b1439399ba75857a3d4add37fb9a2cb585ec3bd3bd01c19a1b116d74cdf4e3c2

URLs:
h}//vrau-x.s3.us-east-2.amazonaws.[com/0.zip
h//oiurx14x.s3.us-east-2.amazonaws.}com/P-14-7.dll

C2:   
http:]//13.59.112.]88/NPT/PediuPraPostarPostou.php


----------/---------------/Lampion origin servers - Turkey 27-02-2020 -----/-----------/--
185[.219.133.128
185[.181.209.7
hxxp://185[.181.209.7/005.]php
hxxp://185[.219.133.128/005.]php

Nome do Servidor: Linux portaldasfinancas
[- Foi Tudo sapohha! - By ] 

Google-dork
q=+%22Sistema%20Operacional%22%20+%22Endere%C3%A7o%20IP%22%20+%22Software%20usado%22

 

Lampion V2 – IOCs (February 2020)

 

URL: https://seguranca-informatica.pt/lampion-malware-v2-february-2020

 

Lampion origin – servers geolocated in Turkey (27th February 2020)

Lampion malware origin servers geolocated in Turkey

 

Lampion is back after 3 months (May 2020)

Trojan Lampion is back after 3 months

Yara rules

rule Lampion_VBS_File_Portugal {
  meta:
  description = "Yara rule for Lampion Portugal - December version"
  author = "SI-LAB - https://seguranca-informatica.pt"
  last_updated = "2019-12-28"
  tlp = "white"
  category = "informational"

  strings:
    $lampion_a = {53 65 74 20 76 69 61 64 6f 20 3d 20 63 75 7a 61}
    $lampion_b = {76 69 61 64 6f 2e 57 69 6e 64 6f 77 53 74 79 6c}
   
  condition:
    all of ($lampion_*) 
}


---------------------------------
import "hash"

rule Lampion_DLL_Portugal {
  meta:
  description = "Yara rule for Lampion Portugal - December version"
  author = "SI-LAB - https://seguranca-informatica.pt"
  last_updated = "2019-12-28"
  tlp = "white"
  category = "informational"

  strings:
    $lampion_a = {5468 6973 4269 6368 7400 4669 6c74 6572}

  condition:
    all of ($lampion_*) or
    hash.md5(0, filesize) == "76eed98b40db9ad3dc1b10c80e957ba1"
}


---------------------------
import "hash"

rule Lampion_malware_portugal {
  meta:
  description = "Yara rule for Lampion Portugal - December version"
  author = "SI-LAB - https://seguranca-informatica.pt"
  last_updated = "2019-12-28"
  tlp = "white"
  category = "informational"

  strings:
    $lampion_a = {3f 3f 3f 3f 3f 3f 3f 74 61 3f 3f 3f 3f 3f 3f 00}

  condition:
    all of ($lampion_*) or
    hash.md5(0, filesize) == "18977c78983d5e3f59531bd6654ad20f"
}

All yara files available here.

 

Yara Retro hunt on two multi-scanners

348e3fd080c8002b826be2577ffa3bc64f263aa779c9f8ff88e4642c294c4381
418dbcf5f8d5ad7e16a0bb48c1e14cb269bf5bd814f0a70c3aa90ce787136047
990982736492bfa0b2a39b0fd05959fa92ca3a282e36977a2523b3fe641a4c34
54cce7adca859d6bd85779ec7fa4fc7eb327f5067d25b1dada722ccdcf108281
9e77a03223de62be70afe19961ca8d0b88b46c20c834a5bab30ab3334baa2415
07f5932be35a720a74fc10e7ee6011fa2a8ee4c6df7cf9a6f06bfdc7bd5ec4a1
09d44bdae0db9a91b86831f857efb45b05f62024a9b68c6977502a4dd729af76
33166f904f6820a1ed22c75ead41102ce62dad0070dd314b899ab76b60a21378
0eb71171482dd5db49bae10f9bf55d7bcbf0b4370f4a86654fac9d3bdc6b20ab
f044d1de37ca8903c7bf6038e465bebc0c1ca2c9c8b53e19e1b8226fa820302f
2e77d53186bd0a1a269864aca2369aae7a2629d1914c77bf6bc69e76aac491e2
7c8c4ab0dd084a7e6e784923f1b125e3b6009f75269331639b120641508f7f51
98db1f47e98a007ad5dfe0c5e1c6eb80dd5e171d6f252dda14c628ecf7c3f836
fbd0c68e699e9d78da85ab11c7d50af71cb84e6d652f9ab8f8ac657bfb102920
c52c0ae1c558be6eead13f50a9ea27a0eba1c4cdce17901ec3903c7b5e9eada0
5c2e9c3cbcf7da70493da3f6efd6f6199d37ad68030a85303644992fbf12293c
875cf24a3863f3e379c158de11baf5e0c70507ab7f37556ed8704e178ddf66ec
1c1c64cf15b13aa67952830b5d606e7793456ddbf266910056ae16505fc57b0d
ce53debed7256fb71532e0348214356383070d24cc86ac59e94395225761f765
f752698342d8dc62ff0e27a065e79c71bca87604ef786f838fc8e0513ce97cfc
ae9e53806d5287f3e22f4e6549b1286c28aa529b1267b4369f9db60529fefbfa
643d400cbdcff21ca2c0b8539f6990e22ababc740ced01f466150e44b669edf5
79aaa08982958ac5fa37e3709a6787619777e11af773609fd974095dfdb0f0fa
9d9252149a6db832fd205e4d0d3395cee5c6251f91df9730315ae4b354e839f0
8802e4b1a460d8f8b369928ed6379f800a1053506c33b3422c52d4c30628b560
de8d3218d1509d255da05f3e3c1846a92d82badddbcebffd5e721256d7635fd5
aad423e2956e0f5b3fabe3b6ac624c929533acd9f2c93ecd210227a9b13a36f7
8f04e52d69b1bdd7e4d6877ce0841ba8779f7649c16712d9d962044b2409b482
bc4ed9ef17e608a4b00ab3b5f0c2cfe956275eb0106a9b5b82076ce2c64cfb15
f36406b797ab4f739d0a6add29fdf72289c70019b5200ebdce78b3d3db0d79dc
8ac60cd9bc9a44e558e840a6bebdd27c73a9ce167a66cf6c8d462e46848fe8a3
29eeba2cbe0f3f6b119ebcc33f23d13964af26ee744419711aa24c6110c1510a
9a2f575d77cc03afe1230666ed23c1da58dd1644abf02e2487c6cd0db8b2a26d
73edad845ab2ba5aa55ac7757c8ff19072cba49dc44d811710858e1e42d6763d
33f6daf3ee3b851800b5928b41fc208ac915d5ec2ffb3ebe13490c474c6cef58
edf3b71d1f4e7adae5b58a8f3f865882b5851d3d5e6ef142643eb3ea2066efe1
0604586fcea208bcb4350d7dd9d5c250702f1a0e9ec0d6801b272ace6918d34c
f90ff089745109a3d59f8ba05d33547ae27df08cc269644ba1a41c9b9fcb782c
2298b7ee6aeb19cd6c9e2f3ae6377e1cf5aab0d2d3f3102d4d51683c79a91da8
4494da2105572a5ad07bd08110e35045c34967306f12a7ea7c91fffc0f79f599
113232ed76536c2255f972f4bb2e3d2aafd01b643da83a04eb80f1809729a898

 

Thank you to all who have contributed:

– Corsin Camichel @cocaman
– David Montenegro @CryptoInsane

 

 


51 Replies to “Targeting Portugal: A new trojan ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax

  1. Pingback: URL

Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *