A previously undocumented malware called SambaSpy is targeting users exclusively in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking actor.
„Threat actors typically try to cast a wide net to maximize their profits, but these attackers are focused on just one country,“ Kaspersky said in a new analysis. „The attackers are probably testing their methods on Italian users before expanding their operations to other countries.“
The attack starts with a phishing email that either contains an HTML attachment or an embedded link that sets off the infection process. When opened, the HTML attachment employs a ZIP archive laced with an intermediary downloader or dropper to deliver and launch the multifunctional RAT payload.
The downloader, for its part, is responsible for retrieving the malware from a remote server. The dropper, on the other hand, does the same but extracts the payload from the archive, as opposed to fetching it from an external location.
The second infection chain involving the booby-trapped link is more elaborate in that clicking on the link redirects the user to a legitimate invoice hosted on FattureInCloud if they are not the intended target.
In a different scenario, clicking on the same URL leads the victim to a malicious web server that serves an HTML page containing JavaScript code, the comments of which are written in Brazilian Portuguese.
„It redirects users to a malicious OneDrive URL but only if they use either Edge, Firefox or Chrome with the Italian language setting,“ the Russian cybersecurity vendor said. „If the users do not pass these checks, they stay on the page.“
Users who meet those requirements are then presented with a PDF document hosted on Microsoft OneDrive that instructs them to click on a hyperlink to view the document, only to be redirected to a malicious JAR file hosted on MediaFire, which, like before, contains either the downloader or the dropper.
SambaSpy is a full-fledged remote access trojan written in Java and is a Swiss Army knife capable of file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, taking screenshots, and remote shell.
It’s also capable of loading additional plugins at runtime by launching a file on disk that was previously downloaded by the RAT, effectively allowing it to expand its capabilities as needed. What’s more, it’s designed to steal credentials from web browsers such as Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.
Infrastructure evidence indicates that the threat actor behind the campaign is also targeting Brazil and Spain, suggesting an expansion of the operations.
„There are various connections to Brazil, such as language artifacts in the code and domains targeting Brazilian users,“ Kaspersky said. „This tracks with the fact that attackers from Latin America often target European countries with close related languages, namely Italy, Spain, and Portugal.“
New BBTok and Mekotio Campaigns Target Latin America
The development comes weeks after Trend Micro warned of a surge in campaigns spreading banking trojans such as BBTok, Grandoreiro, and Mekotio targeting the Latin American region, by way of phishing scams that leverage business and legal proceedings as lures.
Mekotio „utilizes a new technique wherein the trojan’s PowerShell script is now obfuscated, improving its ability to evade detection,“ the company said, adding BBTok uses phishing links to download ZIP or ISO files that contain LNK files, which act as the trigger for the infections.
The LNK file is used to proceed to the next stage by launching the legitimate binary, MSBuild.exe, located within the ISO file, which then goes on to load a malicious XML file, also present in the ISO archive, which then leverages rundll32.exe to launch the BBTok DLL payload.
„By using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading detection,“ Trend Micro said.
The attack chains associated with Mekotio start with a malicious URL in the phishing email that, when clicked, directs the user to a fake website that delivers a ZIP archive. This archive houses a batch file that’s designed to execute a PowerShell script.
The PowerShell script acts as a second-stage downloader to retrieve and launch the trojan using an AutoHotKey script, but not before performing a victim environment check to confirm if it’s indeed located in one of the targeted countries.
„Increasingly sophisticated phishing scams targeting Latin American users to steal sensitive banking information and conduct unauthorized banking transactions highlight the urgent need for improved cybersecurity measures against the increasingly sophisticated methods of cybercriminals,“ Trend Micro researchers said.
„These trojans are becoming increasingly adept at evading detection and stealing sensitive information, while the gangs behind them are growing bolder, targeting larger groups in pursuit of greater profits.“