Lampion

Lampion is a Trojan with a very specific target. It was created to attack those paying taxes in Portugal, but, of course, it is always possible that Windows users outside of the country could be tricked into letting this malware in as well. Also, it is possible that the attackers behind the threat could modify the attack to target the residents of other countries too. For now, we are dealing with a Trojan that uses the reputable name of Autoridade Tributaria e Aduaneira, i.e., the Portuguese Tax and Customs Authority. If you live in Portugal, and you receive an email allegedly sent by this authority, you are likely to open it without thinking much about it. That is what the attackers are betting on by sending a misleading spam email with a subject line “Emissao da factura electronica.” The cybercriminals have done a really good job of making this email look very convincing, and that is the strength of the infection. Unfortunately, if you have interacted with such an email, there is a good chance that you now need to delete Lampion Trojan.

The attackers behind Lampion rely on a convincing spam email message to trick gullible Windows users into opening an attached ZIP archive file. When the infection was first discovered, it used a file called FacturaNovembro-4492154-2019-10_8.zip, but it could easily be modified to fit with the times and convince the recipient that it is real. The message supporting the attached file is suggesting that the recipient can find important data about an annual tax declaration. If you are tricked into opening the archive, three files are introduced. When the infection was analyzed, one of the files was named Politica de Protecao de Dados - ST-8, and another one was FacturaNovembro-4492154-2019-10_8.pdf. These files were harmless. Unfortunately, if the victim opened the third file – FacturaNovembro-4492154-2019-10_8.vbs – it silently downloaded two malicious files. Basically, the .VBS file (Visual Basic Script) is a downloader, and if you execute it, it drops malicious .EXE and .DLL files. They are dropped to the %APPDATA% directory, and you need to delete them instantly. Of course, you are unlikely to even know that these files exist or that you need to delete them.

Once Lampion is executed, it starts collecting information about the victim. The infection has the ability to open the clipboard to see any copied text, it can hijack the keyboard and the mouse to record what is typed, it can see opened windows and also record the text shown via them. According to our malware experts, Lampion could be used to access computer disk information and also steal online banking credentials. To make matters worse, the Trojan uses anti-debugging functions, and it is also able to employ VMProtect 3.x to ensure that the malicious code is extremely difficult to analyze. Therefore, even if you utilize security software, it might not be able to detect and remove the infection. Of course, that depends on the software you use. Also, note that if the Trojan managed to slither in with security software in place, there is a good chance that you need to update it or that you need to find better security tools to protect you and your operating system. That being said, even the best security tools might fail to protect you if you are not cautious yourself. In the future, make sure you are careful about the emails you interact with.

Since all components of Lampion were dropped to the %APPDATA% directory, it is possible that victims of this Trojan will be able to identify and remove them manually. Of course, you need to be cautious. The names of these components are random, and if you are not careful, you could end up removing something else, and that could cause more problems. If you are not sure you can delete Lampion manually, we strongly advise employing anti-malware software. It will ensure that your system is thoroughly cleaned and also protected against new infections. Without a doubt, you will never be completely safe without legitimate security software guarding you. As we mentioned before, you need to be cautious too. If you continue opening spam emails and downloading the files attached to them, you could face ransomware, Trojans, and other types of malware before you know it.

Lampion Removal

1. Simultaneously tap Win and E keys to access Windows Explorer.
2. Type %APPDATA% into the field at the top and then tap Enter to access the directory.
3. Delete malicious .VBS and .DLL files with random names.
4. Delete a folder with a random name if it contains malicious .EXE and 0.zip files.
5. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ into the field at the top.
6. Delete a malicious .LNK file with a random name if it linked to the .EXE file is step 4.
7. Exit Windows Explorer and then Empty Recycle Bin.
8. Install a trusted malware scanner to scan your system and check for leftovers.