The Lampion banking trojan reemerged along with its old attack tactics

March 17, 2022
Lampion Banking Trojan Malware Cyberattack Europe Portugal US

The Lampion banking trojan has recently reemerged and seems to be attacking numerous targets with its old command-and-control server. Its threat actors utilise phoney banking templates that spoof organizations in Portugal to lure their targets into installing their loaders.

Researchers explained that its operators had not altered the banking trojan’s tricks, techniques, and procedures, which means they are using the same attack method from 2019. In addition, the threat actors have been using an identical command-and-control server based in Russian for about two years now.

Furthermore, the researchers noticed that the only feature changed for the Lampion banking trojan is its VBS loader. The operation used by Lampion is identical to other Brazilian trojans such as URSA, Grandereiro, and Maxtrilha.

 

Based on reports, the researchers acquired the hostname of the remote device used by the threat actors in the latest strain of the Lampion banking trojan.

 

According to a tally, over 80,000 devices were identified by researchers to be compromised by Lampion. There were approximately 45k machines compromised in the Netherlands, 25k in Russia, 2.5k in Ukraine, and 1.5k in the United States.

The hostname of Lampion seems to be connected with other malicious gangs such as LockBit 2.0 and BazarLoader ransomware.

Despite threat actors making a critical change in their TTPs, the attack infrastructure of Lampion remained as is. The crucial difference executed by the threat actors is expanding the file size – from its size in 2019 with about 13.20KB to the present file size with around 56MB. The threat actors expanded the scope for the junk to bypass the detection of security solutions.

The expansion also indicates that the threat actors included numerous junk codes to put more pressure on detection and analysis.

Trojans in Brazil are spreading at an alarming rate, with several malware strains targeting banking entities. These strains have distinct characteristics to remain obfuscated and avoid detection.

Experts recommend that organizations utilise provided IOCs to detect such threats better.

About the author