A previously undocumented malware called SambaSpy is exclusively targeting users in Italy through a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.
“Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country,” Kaspersky said in a new analysis. “It’s likely that the attackers are testing the waters with Italian users before expanding their operation to other countries.”
The attack begins with a phishing email that includes either an HTML attachment or an embedded link to start the infection process. If the HTML attachment is opened, a ZIP archive containing an interim downloader or dropper is used to deploy and launch the multi-functional RAT payload.
The downloader fetches the malware from a remote server, while the dropper extracts the payload from the archive instead of retrieving it externally.
The second infection chain with the booby-trapped link is more intricate, redirecting users to a legitimate invoice on FattureInCloud if they are not the target. On clicking the URL, victims are led to a malicious web server serving an HTML page with Brazilian Portuguese comments.
If users pass language checks, they are directed to a PDF document on OneDrive, prompting them to click a hyperlink leading to a JAR file on MediaFire containing the downloader or dropper.
SambaSpy, a Java-based RAT, offers functionalities like file management, remote desktop, keylogging, webcam control, and credential theft from browsers like Chrome, Edge, and Opera.
Infrastructure evidence indicates the threat actor is expanding operations to Brazil and Spain, targeting users in these countries due to language similarities.
The article then transitions to discuss recent campaigns by banking trojans BBTok and Mekotio targeting Latin America through phishing scams involving business and judicial transactions.
Trend Micro highlighted the evolving techniques employed by these trojans to evade detection and steal sensitive information, emphasizing the need for enhanced cybersecurity measures.
The article concludes with a call for improved cybersecurity defenses against these advanced threats as cybercriminals continue to target larger groups for financial gain.
If you found this article interesting, don’t forget to follow us on Twitter and LinkedIn for more exclusive content.