An unknown malware known as SambaSpy has surfaced, specifically directed at the Italian user community through deceitful emails that are believed to originate from a Portuguese-speaking threat actor in Brazil.
A new analysis by Kaspersky revealed, “While most cybercriminals usually go wide to maximize their returns, these attackers are honing in on a single territory. It seems like the threat actors are testing the waters with Italian users before taking their campaign to other regions.”
The assault kicks off with a phishing email, carrying either an HTML attachment or an embedded link that instigates the infection process. In case the HTML attachment gets accessed, a ZIP archive containing an interim downloader or dropper is utilized to introduce and execute the multifunctional RAT payload.
The downloader is tasked with fetching the malware from a distant server. Conversely, the dropper performs a similar function, extracting the payload from the archive instead of retrieving it remotely.
The second infection route with the deceptive link is notably convoluted, where clicking on it diverts the user to a legitimate invoice located on a platform named FattureInCloud if the user isn’t the intended target.
Conversely, a click on the same URL would lead the victim to a malicious web server hosting an HTML page with JavaScript code inclusive of comments inscribed in Brazilian Portuguese.
“The victims are redirected to a nefarious OneDrive link but only if their browsers are Edge, Firefox, or Chrome with Italian as the language preference,” as stated by the Russian security entity. “If these conditions aren’t met, they remain on the page.”
Users qualifying the stipulated criteria are presented with a PDF document hosted on Microsoft OneDrive, guiding them to select a hyperlink to view the document, subsequently landing them on a malevolent JAR file housed on MediaFire containing either the downloader or the dropper as seen earlier.
SambaSpy, a Java-based remote access trojan, is equipped with a plethora of functionalities like managing the file system, supervising processes, controlling remote desktops, uploading/downloads files, managing webcams, keylogging, monitoring clipboards, capturing screenshots, and operating a remote shell.
Moreover, it is designed to augment its functionalities by loading extra plugins promptly, enabling it to adapt as required. Additionally, it is tailored to steal login credentials from popular web browsers such as Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.
Infrastructure examination implies that the threat actor involved in the onslaught is contemplating an expansion of their activities to Brazil and Spain, indicating a prospective enlargement of operations.
Kaspersky commented, “Several clues point towards Brazil, such as linguistic remnants in the code and domains specifically aimed at Brazilian users. This aligns with the trend where Latin American cybercriminals often target Europe-based countries with comparable languages like Italy, Spain, and Portugal.”
Fresh BBTok and Mekotio Campaigns Concentrating on Latin America
These developments occur shortly after Trend Micro raised alarm over a surge in campaigns distributing banking trojans like BBTok, Grandoreiro, and Mekotio that target the Latin American sector via phishing ploys exploiting business transactions and legal-themed transactions as decoys.
Regarding Mekotio, the company highlighted, “The trojan has adopted a novel tactic where its PowerShell script is now obfuscated, amplifying its ability to dodge detection.” Additionally, it underscored BBTok’s approach of using deceptive links in phishing attempts to download ZIP or ISO files harboring LNK files that act as the ignition point for infections.
The LNK file leads to the next stages by triggering the legitimate MSBuild.exe binary from within the ISO file. Subsequently, it triggers a malicious XML file concealed within the same archive, leveraging rundll32.exe to load the BBTok DLL payload.
Trend Micro noted, “By exploiting the legitimate Windows utility MSBuild.exe, the perpetrators can execute their malicious code discreetly, evading detection in the process.”
The attack sequences associated with Mekotio kick off with a malicious URL embedded in the phishing email, which, when clicked, directs the user to a fraudulent website dispensing a ZIP archive comprising a batch file designed to execute a PowerShell script.
The PowerShell script functions as a second-stage downloader to initiate the trojan using an AutoHotKey script, following a reconnaissance of the target’s environment to confirm their presence in specific countries.
“The rise of sophisticated phishing schemes aimed at Latin American users emphasizes the urgency for bolstered cybersecurity measures against increasingly sophisticated tactics employed by cyber offenders,” Trend Micro researchers emphasized.
“These trojans are becoming more adept at avoiding detection and pilfering sensitive data, while the syndicates behind them are becoming more daring in targeting larger demographics for bigger gains.”
About Author
