A newly discovered malware called SambaSpy is targeting users in Italy through a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor. Kaspersky's latest analysis reveals that this attack is unique, as it focuses on a single country rather than casting a wide net, suggesting that the attackers may be testing their approach before expanding to other regions.
The attack starts with a phishing email that either includes an HTML attachment or a malicious link. If the HTML attachment is opened, it delivers a ZIP archive containing a downloader or dropper, which launches the multi-functional RAT (Remote Access Trojan) payload. The downloader fetches the malware from a remote server, while the dropper extracts it from the archive.
In the second infection chain, clicking on a malicious link redirects the victim to a legitimate invoice on FattureInCloud if they are not the intended target. If the user is a match, meaning they are running Edge, Firefox, or Chrome with their language set to Italian, they are redirected to a OneDrive-hosted PDF that links to a malicious JAR file on MediaFire. This file contains the downloader or dropper, starting the infection process.
SambaSpy is a full-featured RAT developed in Java, acting as a "Swiss Army knife" capable of file and process management, remote desktop control, keylogging, webcam monitoring, and more. It also steals credentials from popular web browsers like Chrome, Edge, and Brave. Moreover, it can load additional plugins at runtime, enhancing its malicious capabilities.
Kaspersky notes that infrastructure evidence points to a planned expansion of SambaSpy's targeting to Brazil and Spain, aligning with the attackers' Brazilian roots and potential interest in countries with closely related languages.
This discovery comes alongside new banking trojan campaigns, such as BBTok and Mekotio, which are targeting Latin America. These trojans leverage phishing scams related to business and legal transactions, using sophisticated techniques to evade detection. Mekotio's PowerShell script obfuscation and BBTok’s use of legitimate Windows utilities like MSBuild.exe are among the strategies that help these malware campaigns bypass security measures.
As cybercriminals grow bolder and more advanced, these phishing attacks underline the importance of robust cybersecurity practices to protect sensitive banking credentials and other personal data.
