A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.
“Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country,” Kaspersky said in a new analysis. “It’s likely that the attackers are testing the waters with Italian users before expanding their operation to other countries.”
The starting point of the attack is a phishing email that either includes an HTML attachment or an embedded link that initiates the infection process. Should the HTML attachment be opened, a ZIP archive containing an interim downloader or dropper is used to deploy and launch the multi-functional RAT payload.
The downloader, for its part, is responsible for fetching the malware from a remote server. The dropper, on the other hand, does the same thing, but extracts the payload from the archive instead of retrieving it from an external location.
The second infection chain with the booby-trapped link is a lot more elaborate, as clicking it redirects the user to a legitimate invoice hosted on FattureInCloud if they are not the intended target.
In an alternate scenario, clicking on the same URL takes the victim to a malicious web server that serves an HTML page with JavaScript code featuring comments written in Brazilian Portuguese.
“It redirects users to a malicious OneDrive URL but only if they are running Edge, Firefox, or Chrome with their language set to Italian,” the Russian cybersecurity vendor said. “If the users don’t pass these checks, they stay on the page.”
Users who meet these requirements are served a PDF document hosted on Microsoft OneDrive that instructs the users to click on a hyperlink to view the document, following which they are led to a malicious JAR file hosted on MediaFire containing either the downloader or the dropper as before.
A fully-featured remote access trojan developed in Java, SambaSpy is nothing short of a Swiss Army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, screenshot capture, and remote shell.
It’s also equipped to load additional plugins at runtime by launching a file on the disk previously downloaded by the RAT, allowing it to augment its capabilities as needed. On top of that, it’s designed to steal credentials from web browsers like Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.
Infrastructure evidence suggests that the threat actor behind the campaign is also setting their sights on Brazil and Spain, pointing to an operational expansion.
“There are various connections with Brazil, such as language artifacts in the code and domains targeting Brazilian users,” Kaspersky said. “This aligns with the fact that attackers from Latin America often target European countries with closely related languages, namely Italy, Spain, and Portugal.”
New BBTok and Mekotio Campaigns Target Latin America#
The development comes weeks after Trend Micro warned of a surge in campaigns delivering banking trojans such as BBTok, Grandoreiro, and Mekotio targeting the Latin American region via phishing scams that utilize business transactions and judicial-related transactions as lures.
Mekotio “employs a new technique where the trojan’s PowerShell script is now obfuscated, enhancing its ability to evade detection,” the company said, highlighting BBTok’s use of phishing links to download ZIP or ISO files containing LNK files that act as a trigger point for the infections.
The LNK file is used to advance to the next step by launching the legitimate MSBuild.exe binary, which is present within the ISO file. It subsequently loads a malicious XML file also hidden within the ISO archive, which then leverages rundll32.exe to launch the BBTok DLL payload.
“By using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading detection,” Trend Micro noted.
The attack chains associated with Mekotio commence with a malicious URL in the phishing email that, when clicked, directs the user to a bogus website that delivers a ZIP archive, which contains a batch file that’s engineered to run a PowerShell script.
The PowerShell script acts as a second-stage downloader to launch the trojan by means of an AutoHotKey script, but not before conducting a reconnaissance of the victim environment to confirm it’s indeed located in one of the targeted countries.
“More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and carry out unauthorized banking transactions underscores the urgent need for enhanced cybersecurity measures against increasingly advanced methods employed by cybercriminals,” Trend Micro researchers said.
“These trojans [have] grown increasingly adept at evading detection and stealing sensitive information while the gangs behind them become bolder in targeting larger groups for more profit.”