Lampion Banking Malware Employs ClickFix Lures To Steal Banking Information

A sophisticated banking trojan known as Lampion has resurfaced with an evolved attack strategy, now exploiting fake ClickFix utility lures to harvest sensitive banking credentials from unsuspecting victims.

This banking malware, first identified in late 2019, has undergone significant modifications to enhance its effectiveness in compromising financial data across multiple European banking institutions.

The latest campaign demonstrates the malware operators’ continued adaptation and refinement of social engineering techniques to maximize infection rates.

The current distribution method leverages fraudulent emails impersonating legitimate software update services, specifically mimicking a fictitious utility called “ClickFix” that purportedly resolves browser compatibility issues.

These phishing emails contain malicious attachments or links directing victims to download what appears to be a browser repair tool, but instead delivers the Lampion payload.

Once executed, the malware begins its covert operation to harvest banking credentials, credit card information, and other sensitive financial data from compromised systems.

Palo Alto Networks researchers identified this new variant after observing a significant spike in related infection attempts across multiple countries.

Their analysis revealed sophisticated obfuscation techniques designed to bypass traditional security solutions while maintaining persistent access to infected systems.

According to their findings, the campaign primarily targets banking customers in Portugal, Spain, and other European regions with customized lures in various languages.

Impact of this campaign

The financial impact of this campaign has been substantial, with numerous victims reporting unauthorized transactions following infection.

Banking institutions have been forced to implement additional security measures while working with cybersecurity teams to mitigate ongoing threats.

The widespread nature of these attacks highlights the continuing evolution of financial malware as a persistent threat to both individual consumers and financial organizations.

The infection chain begins when users download the fake ClickFix utility, which executes a highly obfuscated VBScript that establishes persistence through registry modifications.

The script, shown below, creates an initial foothold before downloading additional components:-

Set WshShell = CreateObject("WScript.Shell")
strRegPath = "HKCUSoftwareMicrosoftWindowsCurrentVersionRun"
WshShell.RegWrite strRegPath & "ClickFixUpdate", "wscript.exe //B " & """" & CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "updater.vbs" & """", "REG_SZ"

This stage-one loader communicates with command and control servers to retrieve the primary Lampion payload.

The malware then deploys advanced hooking techniques to intercept banking sessions while remaining undetected.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.