New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails

A previously unreported virus named SambaSpy is specifically targeting victims in Italy via a phishing operation conducted by a suspected Brazilian Portuguese-speaking threat actor.

"Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky stated in a new report. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries."

The beginning point of the assault is a phishing email that either contains an HTML attachment or an embedded link that commences the infection process. Should the HTML attachment be accessed, a ZIP package containing an intermediate downloader or dropper is utilized to deliver and start the multi-functional RAT payload.

The downloader, for its turn, is responsible for retrieving the virus from a remote site. The dropper, on the other hand, accomplishes the same thing, but extracts the payload from the archive instead of getting it from an external site.

The second infection chain with the booby-trapped link is a lot more complicated, since clicking it leads the user to a real invoice stored on FattureInCloud if they are not the intended target.

In an alternative scenario, clicking on the same URL brings the user to a malicious web server that provides an HTML page with JavaScript code displaying comments written in Brazilian Portuguese.

"It redirects users to a malicious OneDrive URL but only if they are running Edge, Firefox, or Chrome with their language set to Italian," the Russian cybersecurity provider claimed. "If the users don't pass these checks, they stay on the page."

Users who fulfill these conditions are provided a PDF document hosted on Microsoft OneDrive that urges the users to click on a hyperlink to read the document, after which they are routed to a malicious JAR file housed on MediaFire containing either the downloader or the dropper as previously.

A fully-featured remote access trojan developed in Java, SambaSpy is nothing short of a Swiss Army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, screenshot capture, and remote shell.

It's also equipped to load more plugins at runtime by opening a file on the disk previously downloaded by the RAT, enabling it to enhance its capabilities as required. On top of that, it's meant to steal credentials from web browsers including Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.

aInfrastructure data reveals that the threat actor behind the campaign is now putting their eyes on Brazil and Spain, hinting to potential operational expansion.

"There are various connections with Brazil, such as language artifacts in the code and domains targeting Brazilian users," Kaspersky added. "This aligns with the fact that attackers from Latin America often target European countries with closely related languages, namely Italy, Spain, and Portugal."

New BBTok and Mekotio Campaigns Target Latin America#

The finding comes weeks after Trend Micro warned of an increase in campaigns delivering banking trojans such as BBTok, Grandoreiro, and Mekotio targeting the Latin American area via phishing schemes that leverage corporate transactions and judicial-related activities as baits.

Mekotio "employs a new technique where the trojan's PowerShell script is now obfuscated, enhancing its ability to evade detection," the organization claimed, citing BBTok's usage of phishing URLs to download ZIP or ISO files containing LNK files that function as a trigger point for the infections.

The LNK file is utilized to progress to the next phase by launching the legal MSBuild.exe binary, which is included inside the ISO file. It then loads a malicious XML file also buried inside the ISO package, which then uses rundll32.exe to execute the BBTok DLL payload.

"By using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading detection," Trend Micro stated.

The attack chains linked with Mekotio start with a malicious URL in the phishing email that, when clicked, sends the user to a phony website that provides a ZIP package, which includes a batch file that's designed to execute a PowerShell script.

The PowerShell script functions as a second-stage downloader to start the trojan by way of an AutoHotKey script, but not before completing a reconnaissance of the victim environment to validate it's truly situated in one of the targeted nations.

"More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and carry out unauthorized banking transactions underscores the urgent need for enhanced cybersecurity measures against increasingly advanced methods employed by cybercriminals," Trend Micro researchers said.

"These trojans [have] grown increasingly adept at evading detection and stealing sensitive information while the gangs behind them become bolder in targeting larger groups for more profit."