From Brazil with Love: New Tactics from Lampion

SUMMARY :

This analysis details a long-running spam campaign by a Brazilian group known for using the Lampion banking trojan. The campaign, active since at least 2019, has evolved its infection chain and components. Key updates include the use of email attachments instead of links, cloud services for ephemeral infrastructure, and ClickFix lures for initial compromise. The infection process involves multiple stages of obfuscated Visual Basic scripts, culminating in the deployment of an updated Lampion Stealer. The threat actors demonstrate sophisticated tactics, including IP blacklisting and the use of large file sizes to hinder analysis. The malicious infrastructure is distributed across multiple cloud providers and shows frequent changes in some components while maintaining long-term stability in others. The campaign's persistence and evolution highlight the group's dedication to stealth and evasion techniques.

OPENCTI LABELS :

lampion,clickfix,banking trojan,lampion stealer


AI COMMENTARY :

1. Introduction From Brazil with Love: New Tactics from Lampion explores the evolution of a persistent spam campaign orchestrated by a Brazilian threat actor deploying the Lampion banking trojan. First observed in 2019, this operation has refined its methods to evade detection and ensure effective payload delivery. By shifting from simple link-based phishing to sophisticated email attachments and leveraging cloud resources for transient infrastructure, the group demonstrates an unrelenting commitment to stealth and operational security.

2. Campaign Evolution Early variants of this campaign relied primarily on embedded URLs directing victims to malicious download sites. As defenses matured, the adversaries pivoted to using Microsoft Office document attachments laced with obfuscated Visual Basic scripts. The introduction of ClickFix-themed lures marked a notable shift in social engineering tactics, capitalizing on familiar service names to lower suspicion. Parallel to these changes, the actors embraced major cloud providers for hosting, creating ephemeral servers that vanish within hours to thwart takedown efforts.

3. Infection Chain Analysis The updated infection chain unfolds across multiple layers of obfuscation. Initially, a Visual Basic script embedded in the email attachment exploits macros to fetch a secondary dropper. This component, heavily encoded and intermittently updated, unpacks further scripts that establish persistence. Finally, the Lampion Stealer payload is deployed, extracting credentials from browsers and banking applications. Each stage employs encryption and packing to frustrate automated analysis and reverse engineering attempts.

4. Advanced Evasion Techniques To complicate detection, Lampion’s operators implement IP blacklisting, ensuring that analysis environments and known security vendor ranges are blocked. They also inflate file sizes and employ chunked downloads, so sandboxes with strict file limits cannot process the payload completely. These measures, combined with dynamically generated command and control domains, give the campaign a robust footprint that regularly shifts yet remains resilient over the long term.

5. Infrastructure Resilience The actors distribute their infrastructure across multiple cloud platforms, taking advantage of free trials and pay-as-you-go instances to maintain low operational costs. Some components—such as initial hosting servers—rotate frequently, while others, including core command and control nodes, exhibit remarkable longevity. This hybrid approach balances agility and stability, enabling rapid adaptation to takedowns without sacrificing persistent access to compromised systems.

6. Implications and Mitigation Strategies The persistence and continuous refinement of Lampion operations underscore the need for layered defenses. Organizations should enforce macro security policies, sandbox email attachments, and monitor for unusual cloud resource usage. Threat hunting should focus on the telltale signs of multi-stage Visual Basic scripts and outbound connections to cloud-hosted endpoints. By combining proactive detection with regular threat intelligence updates, defenders can impose friction on this campaign and similar financial malware operations.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


From Brazil with Love: New Tactics from Lampion