Using templated emails, a new trojan is spreading through Portugal pretending to be sent from the Portuguese Government Finance and Tax service. According to officials, many citizens received the email, which contained a link to download the malware. The end of each year is a time when criminals often use tax themes to target victims with these types of phishing emails. The email informed its intended victims that they had debt from 2018 that needed to be paid before they could file 2019 taxes. The malware that is spread through the messages is named Lampion, and appears to be an updated version from the Trojan-Banker.WIN32.ChePro family. When the target clicks on a link included in the email body, the malware gets downloaded from an online server as a .zip file. Three files are present once the original file is extracted. A VBScript acts as a dropper which downloads the next stage from a compromised server on an AWS S3 bucket. The trojan uses anti-debug and anti-VM techniques as well as a commercial protector. The code within the trojan also makes it hard to be analyzed because it is specifically crafted to evade sandbox analysis and is difficult to read manually.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased