Lampion Trojan Exposed: A New Threat to Portuguese Users

Security experts have uncovered a new trojan called Lampion, which is specifically targeting users in Portugal. This malicious software, developed using the Delphi programming language, bears similarities to the Trojan-Banker.Win32.ChePro family. Lampion employs advanced techniques to evade detection and analysis, making it a formidable threat.

How Does Lampion Infect Systems?

Lampion spreads through deceptive phishing emails that appear to be from the Portuguese Government Finance and Tax Authority. These emails falsely claim to address outstanding debts from 2018. When a user clicks on the embedded link, a zip file named “FacturaNovembro-4492154-2019-10_8.zip” is downloaded. This archive contains three files with PDF, VBS, and TXT extensions.

Files Extracted from the Zip

The harmless PDF and TXT files are designed to trick the user into opening the VBS (VBScript) file. Once executed, the VBScript file initiates the Lampion trojan infection.

For a comprehensive technical analysis of the Lampion trojan, refer to the authoritative source: Security Informatics.

Microsoft’s Counterattack Against North Korean Hacker Group

Microsoft has successfully dismantled 50 domains used by the North Korean hacker group Thallium for phishing attacks. Active since 2010, Thallium has been conducting social engineering attacks using fake emails sent through popular services like Gmail, Yahoo, and Hotmail. These attacks target government agencies, universities, human rights organizations, and individuals involved in nuclear proliferation issues. The seized domains were used to send phishing emails and host counterfeit websites.

Microsoft revealed that the ultimate goal of these attacks is to install malicious software such as KimJongRAT and BabyShark on the victims’ computers. The Microsoft Digital Crimes Unit (DCU) and Microsoft Threat Intelligence Center (MSTIC) teams have been monitoring Thallium’s activities for months, identifying and tracking compromised computers.

Drupal CMS Vulnerabilities Addressed

The Drupal team has released security updates to fix four vulnerabilities, one critical and three moderately critical. The critical vulnerability originates from the “Archive_Tar” library used by Drupal Core to manage archive files. This flaw allows attackers to upload malicious tar files to the server and overwrite sensitive files. The vulnerability affects Drupal websites configured to process .tar, .tar.gz, .bz2, or .tlz files uploaded by users.

The patches for the three moderately critical vulnerabilities address issues such as Denial of Service (DoS), Security Restriction Bypass, and Unauthorized Access. Users are strongly advised to update their CMS to the latest version to protect against these vulnerabilities.

Entercom Faces Another Cyber Attack

Entercom, a company with over 235 radio stations and more than 170 million monthly listeners, has fallen victim to another cyber attack. Following a ransomware attack in September that resulted in a $400,000 loss, this latest attack caused temporary disruptions in email communication and access to digital platforms. Although Entercom has stated that the issues have been largely resolved, some users continue to experience problems. In response to the financial losses incurred from the September attack, Entercom’s CFO, Richard Schmaeling, announced a $2 million increase in the IT budget to enhance future cybersecurity measures.