Threat Database Malware SambaSpy Malware

SambaSpy Malware

A newly discovered malware, dubbed SambaSpy, is specifically targeting users in Italy through a phishing campaign led by a suspected Portuguese-speaking threat actor from Brazil. Unlike most threat actors, who typically aim for a broad audience to maximize gains, this group appears to be concentrating solely on Italy. It's possible that they are using this focused approach as a test run before extending their activities to other regions.

SambaSpy Attacks Begin with Phishing Messages

The attack starts with a phishing email delivering either an HTML attachment or an embedded link that triggers the infection process. If the HTML attachment is opened, it reveals a ZIP archive with a downloader or dropper, which deploys and executes the multi-functional RAT payload.

The downloader retrieves the malware from a remote server, while the dropper extracts the payload directly from the archive rather than an external source.

A second infection chain involving the fraudulent link is more sophisticated. If clicked by an unintended target, it redirects the user to a legitimate invoice hosted on FattureInCloud, adding a layer of deception.

Alternate Scenario for the Delivery of the SambaSpy Threat

In another scenario, clicking the same URL directs the victim to a compromised Web server that displays an HTML page with JavaScript code containing comments in Brazilian Portuguese.

This page redirects users to a corrupted OneDrive link, but only if they are using Edge, Firefox or Chrome with their language set to Italian. If these conditions aren't met, the users remain on the same page. For those who pass the checks, a PDF document hosted on Microsoft OneDrive is presented, instructing them to click a hyperlink to view the document. This leads them to a fraudulent JAR file on MediaFire, containing either the downloader or dropper, as in the previous cases.

SambaSpy Is Equipped with a Diverse Set of Threatening Capabilities

SambaSpy is a versatile Remote Access Trojan (RAT) developed in Java, functioning like a Swiss Army knife for cybercriminals. It offers a wide range of capabilities, including file system and process management, remote desktop control, file upload/download, webcam access, keylogging, clipboard tracking, screenshot capture, and remote shell access.

The malware can also load additional plugins at runtime by executing files it previously downloaded, enabling it to enhance its functions as needed. Moreover, it's designed to harvest credentials from popular Web browsers like Chrome, Edge, Opera, Brave, Iridium and Vivaldi.

Infrastructure clues indicate that the threat actor behind SambaSpy may be expanding operations to Brazil and Spain. Several connections to Brazil, such as language traces in the code and domains targeting Brazilian users, suggest a Brazilian origin. This fits a broader trend where Latin American attackers often target European countries with linguistically similar markets, such as Italy, Spain and Portugal.

Trending

Most Viewed

Loading...