Expert spotted a new release of the Lampion trojan banker that was launched with fresh improvements in the way the malware loader operated.
A new release of the Lampion trojan banker was launched with fresh improvements in the way the malware loader – the initial VBS file – is operating.
The recent wave has been noted in Portugal and is impacting clients of several Portuguese and Brazilian banking organizations and also some cryptocurrency platforms.
Lampion was first documented in December 2019, and it was distributed in Portugal via phishing emails using templates based on the Portuguese Government Finance & Tax.
More recently, in May 2020, a new variant of Lampion was observed. Here, it was distributed using fake webpages, where the victim downloaded an MSI file, which then held the remaining Lampion infection chain.
Our analysis of the phishing email of this new campaign detected at the end of June – July 2020 showed that the template is very similar to the template distributed on May 8th, 2020. A fake template from SAPOTRANSFER was used with the message inside the email referring to any missing payment or invoice.
Figure 1: The email template used in July 2020 is similar to the previous one used in May 2020.
These emails are sent towards the end of the month, simulating the payment of a service or bills – the ideal time to catch the most reckless victims.
Figure 2: Files available after decompiling the ZIP file distributed via email.
Looking at the following images, the PDF file inside the ZIP file is just a decoy to distract the victim. The text is written in Portuguese, and just the logo at the end of the document was changed between May and July malware versions.
Figure 3: PDF file and content delivered are similar, only the logo at the end of the document was changed.
As previously stated [1], [2], the VBS file is one that, when executed, serves as a downloader for the infection chain. Once executed, additional files are downloaded from Google Cloud, which are loaded into memory using a well-known technique called DLL injection.
Once again the code in the VBS file is obfuscated to make it difficult to analyze.
Figure 4: VBS file – Lampion downloader – obfuscation layer.
It is important to note that this new release brings some changes to Lampion’s documented modus operandi. The next graph presents the various forms already documented the threat.
Figure 5: Different ways of how Lampion has been distributed in-the-wild.
As noted, malware is usually distributed with a simple email template, where the victim downloads a ZIP file with a VBS downloader inside. However, in May 2020, criminals used a fake page to distribute an MSI file, which used the theme COVID-19 that impersonates the Portuguese government, and which, after being executed, launched the VBS file.
The infection chain, in both scenarios, starts through the VBS downloader file. This file is responsible for downloading two files from online Clouds, such as AWS, Microsoft, SAPO, and more recently Google, creating, thus, persistence on the machines to execute the threat every time machine starts.
In detail, an EXE file was downloaded, which when executed, injects into memory the second DLL inside the 0.zip file and protected by a password. This DLL has the trojan code protected using the VM-Protector, a commercial packer.
However, in this new release, two DLL files are distributed . VBS file leverages the Windows rundll32 library to inject the first DLL into memory (P-14-7.dll), and it is then responsible for loading the second DLL into memory and starting, thus, the infection process.
Deofuscation and renaming VBS calls
After a few rounds of deobfuscation and renaming calls, we have a clean version of the source code to analyze in-depth.
Figure 6: Deofuscated VBS file – Lampion trojan July 2020.
Some parts of the code are highlighted in Figure 6 and described below:
- Function to generate random strings is used to generate arbitrary folders and file names.
- Random strings generation.
- Function used to decrypt strings.
- Delete *.LNK files from the Windows startup folder.
- Delete *.VBS files from the Windows startup folder.
- Create a random folder on %appdata% to host the downloaded files (P-14-7.dll and 0.zip).
- Get classes for computer hardware and configuration.
- Google Cloud URLs obfuscated (URL1 and URL2).
- Download the 2nd stage from Google Cloud (0.zip).
- Download 1st stage – trojan loader – from Google Cloud (P-14-7.dll).
- Create .VBS file inside %appfolder% – persistence technique used by criminals.
- Generate the content of the .VBS file (decryption functions, DLL injector, and anti-VM/sandbox).
- Create a folder inside the Windows startup folder.
- Crete .LNK file inside the Windows startup folder.
- Set up .LNK file to execute DLL injection via rundll32.
- Sleep and shutdown commands are two techniques for online sandbox evasion.
- Trojan starts.
In detail, the malware uses a .LNK file to inject the first stage P-14-7.dll into memory. Then, the call YourGonnaPayMeToday is invoked as shown in Figure 7. This DLL is used as a loader for the final payload, a DLL inside 0.zip file, and it is injected into memory via DLL injection. Both files are protected with the commercial packer – VM Protector.–create LKN file– C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\usynknwwbmj.lnk——–run-dll———CommandLineArguments: C:\Users\admin\AppData\Roaming\59684788644313\eakyvqgqeovfzwxau27622472643851.dll YourGonnaPayMeToday WorkingDirectory: C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\usynknwwbmjRelativePath: ..\..\..\..\..\..\..\..\..\Windows\system32\rundll32.exe TargetFileDOSName: rundll32.exe HotKey: (none) RunWindow: Normal IconIndex: (none) TargetFileSize: 0 FileAttributes: (none) Flags: IDList, RelativePath, WorkingDir, CommandArgs, UnicodeFinal payload:rundll32.exe C:\Users\admin\AppData\Roaming\59684788644313\eakyvqgqeovfzwxau27622472643851.dll YourGonnaPayMeToday
VBS file – Decrypted strings
Encrypted: 4Ic^GjEj/fzie0[%2%yifjne$h4Wf]g[m$O]6eDeo]wbg[aWSf5_siR$[YDeKcv%HXJe.cEXT[Zj4WkXnhSWKd4YBWx[Xl+_{dC^`et%o&F$upP_DfpZDecrypted: hxxps://storage.googleapis.]com/bombetabrancaevinho/0.]zipEncrypted: r?F^5jAj.fCiB0*%Z%%i<jTefhMWl]x[.$u]uefe\]wb[[JW.fk_%iF$sY}ePc+%`X&e2c]X][bjnW?X*h’WfdeY_WC[.lo_]db^WeT%eF(#g’=*o#o-Q$-Z8b/b-jDecrypted: hxxps://storage.googleapis.]com/bombetabrancaevinho/P-14-7.]dllEncrypted: k8NhIk;dUZLb$b/)0(5:Decrypted: rundll32 Encrypted: J.9Obeck[h6=nePd{d>WWFQWGoiC|[5Joe,Z<WDo=4Decrypted: YourGonnaPayMeToday
As seen in Figure 5, the initial versions of Lampion were distributed in the form of the EXE. This file was responsible for unpacking the DLL from the 0.zip file and injecting it into memory.
In this version, two DLLs are distributed instead of an EXE and single DLL. The first (P-14-7.dll) is injected via DLL injection by the VBS file at the initial stage. For this, it invokes the call YourGonnaPayMeToday from EAT.
Figure 7: Call invoked to load the DLL in memory (YourGonnaPayMeToday) – 1st stage.
This first file is called by the VBS script and loaded into memory via the DLL injection technique using rundll32.exe from Windows, a technique widely used by red teams and pentesters when used Metasploit framework.rundll32.exe C:\Users\admin\AppData\Roaming\59684788644313\eakyvqgqeovfzwxau27622472643851.dll YourGonnaPayMeToday
As other trojan bankers from Latin America – Grandoreiro – criminals are using arbitrary BMP images to increase the size of binaries, thus avoiding signature detection and also making it difficult to analyze via online sandboxes – since some sandboxes have a limit per size when uploading files.
Also, a new layer anti-VM was added to this new release as shown below.
Figure 8: Lampion DLL file oversize and error message when malware detects it is running inside a VM.
As observed in other Lampion versions, the 0.zip file is protected with a strong password, which is extracted from the loader P-14-7.dll (1st stage). After extracting the final DLL from the ZIP file, 2nd_stage.dll, and executing it in memory via DLL injection, it executes the infection process.
This final DLL is executed in memory by calling the “DoThisBicht” function (see below).
Figure 9: Lampion 2nd stage executed in memory via DLL injection.
Lampion’s operating mode is the same as those analyzed in previous publications [1], [2], nonetheless, the DLL was recently compiled and is accompanied by some changes, as the addresses of C2 have been changed and also the way it communicates with C2. This time it is not used to transfer information about the infected machine through an HTTP call with the destination C2, but TCP sockets are used.
Figure 10: Compilation time – Jun 21 16:39 – 2020.
The target banking organizations are the same as observed in the past samples.
Figure 11: Banking organizations found inside the malware are the same as document in the past.
During the malware execution, it collects keystrokes (keylogger features) and is in a constant loop identifying the focus windows that the user is visiting.
When a focus operation is identified over the browser window, it matches the title of the window with the internal hardcoded strings. In this case, “montepio” matches the target strings hardcoded inside the malware (the name of a Portuguese bank). From here, the malware starts its communication with the command and control server geolocated in Rusia, and next presents the specific overlay windows.
Figure 12: C2 communication after detecting access to a home banking portal.
The process of browser-overlay is then initiated and some fake windows controlled by criminals are shown.
Figure 13: Lampion overlay screens (courtesy of MllenniumBCP – Portugal).
The socket communication is performed sending details about the infected computer, keylogging activity, and so on.
Figure 14: C2 traffic observed during the malware execution.
As observed below, the C2 server is geolocated in Russia. Some ports can be observed via Shodan. The malware executes a socket communication between victims and C2 on port 9171.
Figure 15: Lampion C2 server geolocation – July 2020.
It should also be mentioned that during the process of sending information, the trojan executes several ICMP requests to a server located in Germany. This is a mechanism used by malware to detect if the victim’s computer is connected to the internet.
Figure 16: ICMP ping is used to validate Internet connection to establish a communication with C2.
In addition, it is interesting to note that criminals are using a blacklist of flagged IP addresses. Whenever the client performs an infection from one of these IP addresses, the malware terminates the execution after receiving the order from C2 and the infected computer is restarted.Server Mandou ====> |EXITEWINDOWS|Cliente Desconectado!
Final Thoughts
Malware is one of the major cyber weapons to destroy a business, market reputation, and even infect a wide number of users. The next list presents some tips on how you can prevent a malware infection. It is not a complete list, it just a few steps to protect yourself and your devices.
- Get outdated software of your system
- Get email savvy; take several minutes looking at the new email and not a few seconds
- Beware of fake tech support, emails related do bank transactions, invoices, COVID19, everything you think be strange
- Keep Internet activity relevant
- Log out at the end of the day
- Only access secured and trusted sites (not only websites with green lock – please think you are doing, as many phishing campaigns are abusing of free CA to create valid HTTPS certificates and to distribute malicious campaigns over it)
- Keep your operating system up to date
- Make sure you are using an antivírus
- Beware of malvertising
To read the original article