The Lampion Trojan is a banking virus which aims to hijack sensitive information, manipulate infected computers and be used for various crimes. A new attack carrying a new version of it is being operated against users in Portugal by sending out fake tax email notifications carrying the virus code. If the victims interact with it they will download the initial stage loader which will install the Trojan. Read our article to learn what the Lampion Trojan is capable of and to read instructions on safely removing active infection.
|Type||Trojan Malware, Banking Trojan|
|Short Description||A very dangerous banking Trojan capable of advanced data theft.|
|Symptoms||The victims may notice performance issues and can get infected with other malware.|
|Distribution Method||Mainly via phishing email messages.|
|Detection Tool|| See If Your System Has Been Affected by Lampion Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Lampion Trojan.|
The Lampion Trojan is one of the latest malware creations of an unknown hacking group that is currently set against victims located in Portugal. The available information shows that it derives from the code base of a malware family that primary consists of banking Trojans — advanced threats aiming to monitor the actions of the victims and manipulating web and application fields resulting in financial abuse.
What we know about the ongoing attack is that it is performed by an experienced group of criminals. Their identity is not known at this moment, we anticipate that they might be from Portugal or from another Brazilian-speaking country. What is evident from the phishing campaign is that the hackers are using a common and effective strategy of manipulating victims into opening up phishing email messages. They impersonate the Government Finance & Tax agency asking them to open and submit financial documents. To fool the victims into interacting with them the criminals have hijacked the design and style layout of similar messages. This ongoing campaign has recently been launched during the holiday season.
When the victims click on one of the received messages they will be led into downloading a file attachment, one of the sample messages is called FacturaNovembro-4492154-2019-10_8.zip and when it is unpacked by the user they will see three files — a PDF, VBS and a text file. When the users open up the script file (VBS) this will start the Lampion Trojan infection chain which starts by downloading the rest of the virus data from an Amazon S3 bucket. The related data which are retrieved from the remote server will not trigger any firewalls or Intrusion detection systems (IDSs) as the Amazon cloud service is treated as legitimate and safe. The second stage of the infection is the delivery of the main Trojan files — an EXE and a DLL file. A security bypass will be triggered which will stop any running anti-virus programs and security software that can potentially block the proper virus execution. The code analysis also shows that the virus engine will additionally modify the victim system by creating shortcuts, placing the files in system locations and etc.
The actual Lampion Trojan operations feature advanced capabilities that are typical for this type of viruses. Some of the features that are part of the captured Lampion samples include the following actions:
- Remote Connection Startup
- Network Resources Retrieval
- Network Resources Manipulations and Redirect
- Folder Path Retrieval
- Messages Communications
- Communications Parameters Changes
- Custom Functions
- Dialog Box Spawning
- Code Logic Storage
Lampion Trojan infected hosts will have been found to conduct extensive information gathering of data belonging both to the users and also giving details on the machines. The collected information is retrieved from the system information pages, the installed software, web browser history, clipboard, the file system and etc. Alongside other information everything will be forwarded to the hacker controllers via a secure network connection.
The Trojan allows the hackers to access and manipulate the infected machines via a specially designed web interface. It allows them to monitor the status of the computers and also filter them by applying the following sorting options:
country, date and hour of access, operating system, computer name, installed antivirus engine, version and plugin information
How to Remove Lampion Trojan
In order to fully remove Lampion from your computer system, we recommend that you follow the removal instructions underneath this article. If the first two manual removal steps do not seem to work and you still see Lampion or programs, related to it, we suggest what most security experts advise – to download and run a scan of your comptuer with a reputable anti-malware program. Downloading this software will not only save you some time, but will remove all of Lampion files and programs related to it and will protect your computer against such intrusive apps and malware in the future.