SYMBOLCOMMON_NAMEaka. SYNONYMS
vbs.lampion (Back to overview)

lampion

Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files.
The malware targets banking clients in Portugal.

References
2023-10-30Layer8Pedro Lobo
New Lampion Banking Trojan Variant in the wild
lampion
2022-09-09CofenseAndy Mann, Dylan Main
Lampion Trojan Utilizes New Delivery through Cloud-Based Sharing
lampion
2022-03-13Security AffairsPierluigi Paganini
The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years
lampion
2022-02-26Seguranca InformaticaPedro Tavares
The hidden C2: Lampion trojan release 212 is on the rise and using a C2 server for two years
lampion
2021-07-19Palo Alto Networks Unit 42Mark Lim
Evade Sandboxes With a Single Bit – the Trap Flag
lampion
2021-02-10Seguranca InformaticaPedro Tavares
Lampion trojan disseminated in Portugal using COVID-19 template
lampion
2020-07-06Seguranca InformaticaPedro Tavares
New release of Lampion trojan spreads in Portugal with some improvements on the VBS downloader
lampion
2020-05-11Seguranca InformaticaPedro Tavares
Trojan Lampion is back after 3 months
lampion
2019-12-30Check PointCheck Point
THREAT INTELLIGENCE REPORT
lampion
2019-12-26Seguranca InformaticaPedro Tavares
Targeting Portugal: A new trojan ‘Lampion’ has spread using template emails from the Portuguese Government Finance & Tax
lampion
Yara Rules
[TLP:WHITE] vbs_lampion_w0 (20231114 | Rule to detect Lampion's first stage vbs script)
import "pe"
import "hash"

rule vbs_lampion_w0 {
    meta:
        description = "Rule to detect Lampion's first stage vbs script"
        author = "Pedro Lobo - Layer8.pt" 
        reference = "https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf"
        os = "mswindows"
        filetype = "vbs"
        maltype = "trojan"
        last_update = "2023-10-30"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion"
        malpedia_rule_date = "20231114"
        malpedia_hash = ""
        malpedia_version = "20231114"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a = "Wscript.Shell" nocase
        $b = "Scripting.FileSystemObject" nocase
        $c = "WScript.Sleep(600000)" nocase
        $d = "Set OpSysSet = GetObject(" nocase
        $e = "retVal = OpSys.Win32Shutdown(6)" nocase
        $f = "abcdefghijklmnopqrstuvwxyz"
        $h = "GetSpecialFolder" nocase
        $i = "Schedule.Service" nocase
    condition:
        filesize > 40MB and (all of ($c,$d,$e,$f) and (#a == 4 and #b == 5 and #h == 2 and #i == 2))
        
}
[TLP:WHITE] vbs_lampion_w1 (20231114 | Rule to detect Lampion's extractor dll)
import "pe"
import "hash"

rule vbs_lampion_w1 {
    meta:
        description = "Rule to detect Lampion's extractor dll"
        author = "Pedro Lobo - Layer8.pt" 
        reference = "https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf"
        os = "mswindows"
        filetype = "dll"
        maltype = "trojan"
        last_update = "2023-10-30"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion"
        malpedia_rule_date = "20231114"
        malpedia_hash = ""
        malpedia_version = "20231114"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a = "MfS3onjYAZRDZdQy3v9" wide ascii
    condition:
        $a and filesize > 500MB and pe.DLL
        
}
[TLP:WHITE] vbs_lampion_w2 (20231114 | Rule to detect Lampion trojan dll)
import "pe"
import "hash"

rule vbs_lampion_w2 {
    meta:
        description = "Rule to detect Lampion trojan dll"
        author = "Pedro Lobo - Layer8.pt" 
        reference = "https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf"
        os = "mswindows"
        filetype = "dll"
        maltype = "trojan"
        last_update = "2023-10-30"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion"
        malpedia_rule_date = "20231114"
        malpedia_hash = ""
        malpedia_version = "20231114"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $a = "DoThisBicht" wide ascii
        $vmp0 = ".vmp0" wide ascii
        $vmp1 = ".vmp1" wide ascii
    condition:
        ($a and pe.DLL and $vmp0 and $vmp1) or
        hash.md5(0, filesize) == "25ca63d94eb39299563fa51986c9a17b" 
}
[TLP:WHITE] vbs_lampion_w3 (20231114 | Rule to detect Lampion second stage vbs script that downloads the trojan zip and dll)
rule vbs_lampion_w3 {
    meta:
        description = "Rule to detect Lampion second stage vbs script that downloads the trojan zip and dll"
        author = "Pedro Lobo - Layer8.pt" 
        reference = "https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf"
        os = "mswindows"
        filetype = "vbs"
        maltype = "trojan"
        last_update = "2023-10-30"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion"
        malpedia_rule_date = "20231114"
        malpedia_hash = ""
        malpedia_version = "20231114"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $encryptedURL1 = {73 6e 7d 5e 4a 6a 47 6a 26 66 36 69 3e 30 49 25 44 25 44 60 68 6b 53 69 6d 6a 76 62 67 65 7d 65 4b 61 36 57 4c 68 3c 65 5c 6b 69 64 64 5a 79 24 52 69 5e 29 5f 24 61 57 73 63 32 57 58 70 5d 65 24 64 76 57 2c 6d 26 69 2e 24 72 59 56 65 7b 63 6b 25 77 69 5b 65 4a 66 61 68 53 57 34 6a 6b 5b 5f 69 63 6a 57 5b 35 24 23 70 33 5f 6e 66 54 76} 
        $encryptedURL2 = {47 61 4a 5e 71 6a 3b 6a 71 66 6d 69 38 30 6f 25 47 25 6b 60 6c 6b 75 69 33 6a 67 62 35 65 29 65 63 61 40 57 43 68 38 65 5d 6b 4f 64 31 5a 36 24 6e 69 72 29 54 24 68 57 3e 63 3f 57 68 70 65 65 6d 64 67 57 6e 6d 57 69 41 24 39 59 45 65 23 63 26 25 42 66 5b 65 7a 5f 4b 5f 5c 6b 5a 6f 6c 5b 66 6a 54 68 6a 6b}
        $encrypted3 = {7d 5c 71 35 6f 33 2e 75} 
    condition:
        all of ($encrypted*)
}
[TLP:WHITE] vbs_lampion_w4 (20231114 | Rule to detect Lampion password protected zip file)
rule vbs_lampion_w4 {
    meta:
        description = "Rule to detect Lampion password protected zip file"
        author = "Pedro Lobo - Layer8.pt" 
        reference = "https://www.layer8.pt/PDFs/New%20Lampion%20banking%20Trojan%20variant%20in%20the%20wild.pdf"
        os = "mswindows"
        filetype = "zip"
        maltype = "trojan"
        last_update = "2023-10-30"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion"
        malpedia_rule_date = "20231114"
        malpedia_hash = ""
        malpedia_version = "20231114"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $compressed_chinese_filename = {e5 a4 a9 e5 be 88 e7 be 8e ef bc 8c e5 a4 a9 e6 b0 a3 e6 99 b4 e6 9c 97 ef bc 8c e6 b1 a0 e7 95 94 e5 95 a4 e9 85 92 e5 92 8c e7 87 92 e7 83 a4 ef bc 8c e5 ae b6 e4 ba ba e6 84 9f e5 8b 95 e6 88 91 e7 9a 84 e4 b8 8a e5 b8 9d e4 bf 9d e8 ad b7 e6 88 91 e7 9a 84 e7 9b 9f e5 8f 8b} 
        $zipPasswordedHeader = {50 4B 03 04 14 00 09 08}
    condition:
        $compressed_chinese_filename and $zipPasswordedHeader at 0
}
Download all Yara Rules