ColoredLambert

Lambert is a family of backdoor Trojans and related tools for monitoring and controlling systems for espionage purposes. Their presence correlates with targeted attacks by Longhorn or the Lamberts closely, a believed-to-be state-sponsored hacking group. Users should have anti-malware security software for removing Lambert Trojans and maintain best practices for network security against possible infections.

Trojan Tools in Every Color of the Rainbow

The threat actors referred to as the Lamberts or Longhorn are upholding their reputation against stiff competition in state-sponsored hackers, including China' Ke3chang and Russia's Fancy Bear. The team's proficiency is transparent in their long-deployed and highly-organized Lambert family, a collection of hacking tools, and Trojans with an overall backdoor focus. While, lately, their infections have taken advantage of the helping hand of the DePriMon Trojan downloader, the Lambert family, by itself, includes numerous details worth attention from cyber-security and counter-espionage enthusiasts.

The majority of Lambert's members are Windows-based, with one exception: Green Lambert, which includes an OS X variant. In roughly chronological order of deployment, members that malware experts confirm include Green, White, Pink, Blue, Blac and Gray Lambert. Although all sub-groups include backdoor features, they sometimes receive deployment alongside other ones (such as White and Pink), and many of them use sharply diverging strategies and features.

As a brief rundown of some of the more noteworthy aspects of each 'color' of Trojan:

• The Black Lambert's deployment is the shortest, possibly, thanks to its being caught and analyzed by a cyber-security company relatively early. The Black Lambert is one of the 'active' versions, in that it connects to a Command & Control server directly for instructions from the attacker.
• Contrastingly, the White Lambert is 'passive.' Rather than connecting to a server, it intercepts and sniffs through network traffic for embedded instructions.
• The Pink Lambert includes a new orchestrator component for managing multiple platforms. Even more unusually, it possesses a module for USB-based data exfiltration.
• The Blue Lambert is an update of the Green Lambert, both of which are 'active' sub-types like the Black Lambert. Besides the OS X branch, the Green Lambert's most interest-piquing trait is that one of its installation exploits used a software package specific to industrial sector Web forums.

Bleaching Out the Colors of Crime

Although most of the Lambert family's activity dates back to 2013 and the year following it, it's not likely that the Lamberts are inactive. However, their campaigns are highly-targeted at specific, high-value entities, such as government networks or sensitive business entities. They also show an interest in avoiding any analysis attempts, as one of their newer utilities, the DePriMon Trojan downloader, demonstrates.

Users of all operating systems in appropriate industries and work environments should consider themselves at the potential risk of attacks from this threat actor and new versions of Lambert Trojans. There is a strong correlation between Lambert infections and the presence of software vulnerabilities, both zero-day and patchable. Naturally, admins always should limit the risk of an attack by updating their software to the latest secure versions as quickly and regularly as possible.

Symptoms of the Lambert Trojans are little to none for any users. However, advanced network analysis tools, firewalls, and anti-malware products may identify components of these threats or their behavior. Anti-malware tools, additionally, may uninstall Lambert Trojans from infected systems.

This family also has a little-seen playful side. Many of Lambert's project and program names reference Japanese cartoons, video games, or even American cultural gimmicks like the funnel cake carnival food. Of course, when one is a state-sponsored hacker, one can afford a little humor – while not losing the programming professionalism that makes Lambert so threatening.