Using templated emails, a new trojan is spreading through Portugal pretending to be sent from the Portuguese Government Finance and Tax service. According to officials, many citizens received the email, which contained a link to download the malware. The end of each year is a time when criminals often use tax themes to target victims with these types of phishing emails. The email informed its intended victims that they had debt from 2018 that needed to be paid before they could file 2019 taxes. The malware that is spread through the messages is named Lampion, and appears to be an updated version from the Trojan-Banker.WIN32.ChePro family. When the target clicks on a link included in the email body, the malware gets downloaded from an online server as a .zip file. Three files are present once the original file is extracted. A VBScript acts as a dropper which downloads the next stage from a compromised server on an AWS S3 bucket. The trojan uses anti-debug and anti-VM techniques as well as a commercial protector. The code within the trojan also makes it hard to be analyzed because it is specifically crafted to evade sandbox analysis and is difficult to read manually.
Analyst Notes
SI-LAB uploaded the malware to VirusTotal and only 12 out of 71 engines could detect the malware as malicious. This means that only a small amount of the signature-based anti-virus companies are detecting this complicated malware. Utilizing a behavior-based protection software such as Binary Defense’s Managed Endpoint Detection and Response would help alleviate this issue by not solely relying on the signature to mark Lampion as malicious. This time of year is when most of the criminals will begin targeting individuals and companies for tax information or personal employee information that could lead threat actors to file fraudulent tax returns. Employees must remain vigilant throughout the next couple of months to avoid harm from phishing emails about the tax season.
For all the details on Lampion, see here: https://securityaffairs.co/wordpress/95731/malware/lampion-malware-targets-portugal.html
