Lampion

What is Lampion?

The end and the beginning of a year is always a good season for spammers and cyber crooks. There are so many ways to slither into target systems because of year-end communication between various companies and organizations. The people behind the Lampion Trojan infection seem to have caught up on that. This malicious infection targets users in Portugal by masquerading as an official email from the Portuguese Government Finance & Tax.

There are several stages of this infection, but the technical story aside, the most important thing for users is to remove Lampion and to avoid similar intruders again. Hence, we shall look at those two aspects in our description.

Where does Lampion come from?

Research suggests that this infection belongs to the Trojan-Banker.Win32.ChePro family. Hence, it is very likely that Lampion was created to spy on the target systems and collect sensitive data. Research also shows that the new infection was improved to make it harder to detect and analyze it.

Like most of the Trojan infections, Lampion comes with phishing campaigns. As we mentioned above, the installer file for this infection comes with a spam email that looks like an important document from an official organization. These email templates look reliable, and users think that they must interact with this message. Not to mention that the email comes with information on an annual debt, and so if users panic about something they might have missed, they are more likely to open the attached document.

The file attachment that carries Lampion looks like a ZIP file that is called FacturaNovembro-4492154-2018-10_8.zip. When the victim downloads the file and unzips it, there are three extracted files present: FacturaNovembro-4492154-2019-10_8.pdf, FacturaNovembro-4492154-2019-10_8.vbs, Politica de Protecao de Dados – ST-8. Two of the files are absolutely safe, but if the targeted user launches FacturaNovembro-4492154-2019-10_8.vbs, the launch initiates a malicious script that downloads the next payload on the affected system.

So, to sum up, the distribution method – users are tricked into launching malicious Trojan files by thinking that those are important documents they must check. The problem here is that Lampion might target corporations and organizations that deal with such documents every single day. Hence, sometimes the targeted user might not see the difference between a legitimate document and the phishing scam. Consequently, to protect their systems from potential threats, users should consider scanning the received files with licensed security tools. If the malicious file is detected before it is launched, users can easily avoid Lampion and other similar intruders.

What does Lampion do?

There are two stages to this infection. First, it enters the target system. Second, it persists and unleashes the main payload. The truth is that Lampion might perform various actions on the compromised system, and what the Trojan does heavily depends on the control and command center.

Based on the research, from the unpacked binary, we can tell some of the functions that Lampion can carry out. For example, the Trojan can copy the text of a particular window’s title bar. It can retrieve the mouse cursor’s position, open the clipboard to examine it, and enumerate display monitors (among other things). There are also other functions this Trojan and its components can carry out. But the bottom line is that the infection has been created to spy on its victims and to steal sensitive information.

Hence, users need to remove Lampion from their systems as soon as possible, and this is where the problem lies: the malicious code was modified to make the infection obscure. It might not be possible to detect it immediately, and it could steal a lot of information before users notice it.

How do I remove Lampion?

To protect ourselves from such infections, we have to enforce regular system scans with reliable antispyware applications. Also, we have to remember that while it is possible to remove Lampion manually, it would be better to acquire a security program that can terminate all the malicious files automatically. We mustn’t forget that there could be more dangerous files on-board, as malware seldom travels alone.

Protecting your system from such infections consists of many steps. Yes, you need a security program. Yes, you need to be more attentive when you interact with unfamiliar content. And you should definitely learn about the latest cybersecurity trends to be more aware of the potential threats.

Manual Lampion Removal

1. Press Win+R and type %APPDATA%. Click OK.
2. Delete the dhapdezbulu.vbs file and the 56985310494899 folder.
3. Go to Microsoft\Windows\Start Menu\Programs\Startup.
4. Delete the dhapdezbulu.lnk file.
5. Scan the system with SpyHunter. Download Removal Tool100% FREE spyware scan and
   tested removal of Lampion*