Lampion
Lampion is the name of a banking Trojan that is being used to target users in Portugal currently. The threat is distributed via phishing emails that claim to come from the Portuguese government, and they often use subjects related to debt and tax payments – topics that are likely to attract the user's interest and lure them into reviewing the email's contents. The common thing between all these phishing messages is that they urge the victims to download a 'ZIP' file attachment that carries three files – a VBS file, a document and a text file. Upon executing the VBS file, the script will connect to an Amazon-hosted server and fetch the payload of the Lampion Trojan in the form of a 'DLL' file.
It seems that the Lampion Trojan's authors have focused on implementing features whose purpose is to make it very difficult to analyze the threat – it excels at avoiding sandbox environments, and thanks to the necessary measures to stop its execution in case it detects the presence of popular malware debugging tools. If there is nothing to hinder the Lampion Trojan's execution, it will add a new Windows Registry Key to command the operating system to launch the threatening program whenever the computer boots up.
The Lampion Banking Trojan is able to retrieve information about the user's activity while browsing the Web, and it can manipulate their connection to take them to websites selected by the attacker – this way, the victim may be redirected seamlessly to a phishing page when they are trying to browse a legitimate online banking portal. Last but not least, the operators of the Lampion Trojan can spawn dialogue boxes, which may enable them to bypass two-factor authentication systems and other security measures that banking portals use.
It is not clear if the Lampion Trojan is the product of a popular cybercrime organization, but cybersecurity researchers expect to see the threat being used in other campaigns in the future. While the current attack focuses on Portuguese users exclusively, this is likely to change soon. To protect your system from the Lampion Banking Trojan and other high-profile cyber-threats, you should invest in a reputable cybersecurity product.
