Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » New Brazil-linked SambaSpy malware targets Italian users via phishing emails
Global Security

New Brazil-linked SambaSpy malware targets Italian users via phishing emails

AdminBy AdminSeptember 19, 2024No Comments4 Mins Read
SambaSpy Malware
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


SambaSpy malware

A previously undocumented malware called SambaSpy is targeting users in Italy exclusively through a phishing campaign orchestrated by an alleged Brazilian Portuguese-speaking actor.

“Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country,” Kaspersky said in a new analysis. “It is likely that the attackers are testing the waters with Italian users before expanding to other countries.”

The starting point of the attack is a phishing email that contains an HTML attachment or an embedded link that initiates the infection process. When the HTML attachment is opened, a ZIP archive containing an intermediate loader or bootloader is used to deploy and run the RAT multi-purpose payload.

The bootloader, for its part, is responsible for receiving malware from a remote server. A dropper, on the other hand, does the same thing, but fetches the payload from an archive instead of fetching it from an external location.

Cyber ​​security

The second infection chain linked to the mine is much more complex, as clicking on it redirects the user to a legitimate invoice hosted on FattureInCloud if it is not the intended target.

In an alternative scenario, clicking the same URL redirects the victim to a malicious web server that serves an HTML page with JavaScript code with comments written in Brazilian Portuguese.

“It redirects users to a malicious OneDrive URL, but only if they are running Edge, Firefox or Chrome with the Italian language,” the Russian cybersecurity vendor said. “If users don’t pass these checks, they stay on the page.”

Eligible users receive a PDF document hosted on Microsoft OneDrive that instructs users to click on a hyperlink to view the document, after which they are directed to a malicious JAR file hosted on MediaFire that contains the downloader or bootloader as before . .

A full-featured Java-based remote access trojan, SambaSpy is nothing short of a Swiss army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam management, keystroke logging, and buffer tracking sharing, screenshot capture, and remote shell.

It is also equipped to load additional plugins at runtime by running a file on disk previously loaded by the RAT, allowing it to expand its capabilities as needed. Additionally, it is designed to steal credentials from web browsers such as Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.

Infrastructure facts suggest that the threat behind the company has also targeted Brazil and Spain, indicating an expansion of operations.

“There are various connections to Brazil, such as language artifacts in the code and domains targeting Brazilian users,” Kaspersky said. “This is consistent with the fact that attackers from Latin America often target European countries with similar languages, namely Italy, Spain and Portugal.”

The new companies BBTok and Mekotio are focused on Latin America

The development comes weeks after Trend Micro warned of a surge in companies supplying banking Trojans such as BBTok, Grandareiroand Holes targeting the Latin American region with phishing scams that use business and court-related transactions as bait.

Mekotio “uses new technology in which the Trojan’s PowerShell script is now obfuscated, increasing its ability to evade detection,” the company said in a statement. saidhighlighting BBTok’s use of phishing links to download ZIP or ISO files containing LNK files, which act as a trigger point for infection.

The LNK file is used to proceed to the next step by running the legitimate MSBuild.exe binary found in the ISO file. It then downloads a malicious XML file, also hidden in the ISO archive, which then uses rundll32.exe to launch the BBTok DLL payload.

Cyber ​​security

“Using the legitimate Windows MSBuild.exe utility, attackers can execute their malicious code while avoiding detection,” Trend Micro said.

Attack chains linked to Mekotio begin with a malicious URL in a phishing email that, when clicked, directs the user to a fake website that delivers a ZIP archive containing a batch file crafted to run a PowerShell script.

The PowerShell script acts as a second-stage bootloader to launch the Trojan using the AutoHotKey script, but not before probing the victim’s environment to confirm that it is indeed located in one of the target countries.

“More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and conduct unauthorized banking transactions highlight the urgent need to strengthen cybersecurity measures against the increasingly advanced techniques used by cybercriminals,” Trend Micro researchers said.

“These Trojans are becoming more adept at evading detection and stealing sensitive information, while the gangs behind them are becoming bolder in targeting larger groups for greater profits.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025

Packages malicious Pypi, NPM and Rubin

June 4, 2025

HPE releases security patch for Storeonce error, which allows by -by -distance authentication

June 4, 2025

Fake Docusign, Gitcode Sites Distributed Netsupport Rat Through Multiple Attack PowerShell

June 3, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025

Packages malicious Pypi, NPM and Rubin

June 4, 2025

HPE releases security patch for Storeonce error, which allows by -by -distance authentication

June 4, 2025

Fake Docusign, Gitcode Sites Distributed Netsupport Rat Through Multiple Attack PowerShell

June 3, 2025

Critical 10-year Error Webmail RoundCube allows users to run the malicious code

June 3, 2025

Understanding the scammers and how to defend their organization

June 3, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Google exposes Vishing Group UNC6040 target on Salesforce with a fake app for a data loader

June 4, 2025

Malicious Chaos Rats are aimed at Windows and Linux via fake network downloads

June 4, 2025

Why do traditional DLP solutions do not get in the browser era

June 4, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.