How does it attack? The Segurance Informatica-Lab (SI-Lab) reports that the phishing email that distributes the Trojan impersonates government mails, this time from Portuguese Government Finance & Tax.
The email messages users about their debt from the year 2018.
Then it asks the user to click on a link to clear issues and avoid being scammed.
As soon as the victim clicks on the link available in the body of the email, the malware Trojan is downloaded in the system from the online server.
The file that is downloaded is a compressed file called FacturaNovembro-4492154-2019-10_8.zip.’ When it is unzipped by the user, they will see three files - a PDF, VBS, and a text file.
The file-
This file Factura Novembro-4492154-2019-10_8.zip is just the first phase of the infection chain of the trojan. It acts as a dropper and a downloader.The dropper then downloads the next set of files from the online server. As the file is executed, it downloads two more files - P-19-2.dll and 0.zip. This P-19-2.dll is the actual Lampion trojan.
The dll file contains a name in Chinese and a message for the victim.
The Lampion Trojan-
The Lampion Trojan is an improvised form of the Trojan-Banker.Win32Chierrofamily, developed in Delphi. It has both anti-debug and anti-VM techniques that make it removal quite difficult both in a sandbox environment or manually. Security researchers found some features in the capture ..
Support the originator by clicking the read the rest link below.
