A previously undocumented malware called SambaSpy is targeting users in Italy exclusively through a phishing campaign orchestrated by an alleged Brazilian Portuguese-speaking actor.
“Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country,” Kaspersky said in a new analysis. “It is likely that the attackers are testing the waters with Italian users before expanding to other countries.”
The starting point of the attack is a phishing email that contains an HTML attachment or an embedded link that initiates the infection process. When the HTML attachment is opened, a ZIP archive containing an intermediate loader or bootloader is used to deploy and run the RAT multi-purpose payload.
The bootloader, for its part, is responsible for receiving malware from a remote server. A dropper, on the other hand, does the same thing, but fetches the payload from an archive instead of fetching it from an external location.
The second infection chain linked to the mine is much more complex, as clicking on it redirects the user to a legitimate invoice hosted on FattureInCloud if it is not the intended target.
In an alternative scenario, clicking the same URL redirects the victim to a malicious web server that serves an HTML page with JavaScript code with comments written in Brazilian Portuguese.
“It redirects users to a malicious OneDrive URL, but only if they are running Edge, Firefox or Chrome with the Italian language,” the Russian cybersecurity vendor said. “If users don’t pass these checks, they stay on the page.”
Eligible users receive a PDF document hosted on Microsoft OneDrive that instructs users to click on a hyperlink to view the document, after which they are directed to a malicious JAR file hosted on MediaFire that contains the downloader or bootloader as before . .
A full-featured Java-based remote access trojan, SambaSpy is nothing short of a Swiss army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam management, keystroke logging, and buffer tracking sharing, screenshot capture, and remote shell.
It is also equipped to load additional plugins at runtime by running a file on disk previously loaded by the RAT, allowing it to expand its capabilities as needed. Additionally, it is designed to steal credentials from web browsers such as Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.
Infrastructure facts suggest that the threat behind the company has also targeted Brazil and Spain, indicating an expansion of operations.
“There are various connections to Brazil, such as language artifacts in the code and domains targeting Brazilian users,” Kaspersky said. “This is consistent with the fact that attackers from Latin America often target European countries with similar languages, namely Italy, Spain and Portugal.”
The new companies BBTok and Mekotio are focused on Latin America
The development comes weeks after Trend Micro warned of a surge in companies supplying banking Trojans such as BBTok, Grandareiroand Holes targeting the Latin American region with phishing scams that use business and court-related transactions as bait.
Mekotio “uses new technology in which the Trojan’s PowerShell script is now obfuscated, increasing its ability to evade detection,” the company said in a statement. saidhighlighting BBTok’s use of phishing links to download ZIP or ISO files containing LNK files, which act as a trigger point for infection.
The LNK file is used to proceed to the next step by running the legitimate MSBuild.exe binary found in the ISO file. It then downloads a malicious XML file, also hidden in the ISO archive, which then uses rundll32.exe to launch the BBTok DLL payload.
“Using the legitimate Windows MSBuild.exe utility, attackers can execute their malicious code while avoiding detection,” Trend Micro said.
Attack chains linked to Mekotio begin with a malicious URL in a phishing email that, when clicked, directs the user to a fake website that delivers a ZIP archive containing a batch file crafted to run a PowerShell script.
The PowerShell script acts as a second-stage bootloader to launch the Trojan using the AutoHotKey script, but not before probing the victim’s environment to confirm that it is indeed located in one of the target countries.
“More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and conduct unauthorized banking transactions highlight the urgent need to strengthen cybersecurity measures against the increasingly advanced techniques used by cybercriminals,” Trend Micro researchers said.
“These Trojans are becoming more adept at evading detection and stealing sensitive information, while the gangs behind them are becoming bolder in targeting larger groups for greater profits.”
