If you live in Portugal and pay taxes to the Portuguese Tax and Customs Authority (Autoridade Tributaria e Aduaneira), Lampion is a threat that you need to be very cautious about. This threat was first spotted in October 2019, but it is likely to continue terrorizing Windows users in the future as well. Just like most threats nowadays, this Trojan exploits the backdoors opened via spam emails. Unfortunately, many people are still unaware that opening spam emails is a dangerous game. Spammers can use convincing email addresses and subject lines, and the messages themselves can be copied from real emails sent by the Portuguese Tax and Customs Authority to make them look completely legitimate. If you ever suspect something strange, do not rush into anything. Contact the authority directly via phone to ask them if an email was sent, and, most importantly, do not open any attached files or links. If you do that, you might end up needing to delete Lampion from your operating system.
Since Lampion was first recorded in October 2019, it is no wonder that the file attached to it was named “FacturaNovembro-4492154-2019-10_8.zip.” Obviously, names are very easy to modify, and so you should not just look out for files with that exact name. This attached archive file is not malicious, per se. It’s what’s inside that you need to worry about. During the analysis of the infection, three files were represented via the .ZIP file. “Politica de Protecao de Dados - ST-8” and a .PDF file found inside the archive were not malicious, but the .VBS file was. This file is a dropper, and if it is executed, it can silently download other malicious files. In the case of Lampion, it downloaded two files (.exe and .dll) to the %APPDATA% directory. The downloaded files were located in a compromised server on an AWS S3 bucket. After the initial execution of this malware, the Trojan was able to add an .lnk file to Startup (at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\) to ensure that it could run as soon as the operating system was turned on by the unsuspecting victim.
To keep itself safe, Lampion can use anti-debugging and anti-VM tactics. This ensures that the infection is not discovered by security tools. The Trojan was found to exploit VMProtect 3.x specifically to guard its code against analysis. Unfortunately, if the victim does not realize that they need to delete malware from their operating system, sensitive information can be leaked. The Trojan can record login data using intrusive techniques. For example, it can copy text in clipboards, opened windows, and messages. It also can spy on users by accessing windows, tracking the mouse, and also identifying the keyboard. It is hard to say what kind of information the attackers behind Lampion might obtain, but, undoubtedly, the risk of facing sensitive data theft is high. Therefore, once you remove the infection – which we discuss in the following paragraph – it is crucial that you change all sensitive passwords and keep an eye out for suspicious activity. If you do not take these steps, your accounts could be hijacked.
The instructions below give a general idea of how you can remove Lampion manually. Unfortunately, the files dropped by this Trojan have random names, and some of these files are stored in a folder with a random name as well. That being said, all of these components should be located in the %APPDATA% directory, and so you might have a chance of performing the removal manually. All in all, whether or not you are able to clean your system yourself, we strongly advise installing anti-malware software. It will automatically delete Lampion and any other threats that could exist without your permission. On top of that, your system’s protection needs to be strengthened, and anti-malware software is created for that. If you want to continue the discussion regarding the Trojan, its removal, or Windows protection, do not hesitate to leave your comments in the section below.