HQ/EMEAFind out how we can help your business
A new malware strain named SambaSpy has been discovered, exclusively targeting Italian users through a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor. Unlike many cybercriminals who cast a wide net to target multiple countries, this campaign is specifically focusing on Italy, suggesting a test phase before the operation potentially expands to other regions.
The attack begins with phishing emails containing either an HTML attachment or a link that triggers the infection. If the HTML attachment is opened, a ZIP archive is downloaded, which contains either a downloader or dropper. These tools are then used to deploy a multi-functional Remote Access Trojan (RAT). For phishing emails with embedded links, clicking the link may lead to a legitimate website if the recipient is not the intended target. However, if certain conditions are met—such as the user running Edge, Firefox, or Chrome in Italian—the victim is redirected to a malicious website.
Once redirected, the victim is prompted to download a PDF hosted on Microsoft OneDrive, which contains a malicious link. Clicking this link downloads a JAR file hosted on MediaFire, which carries either the downloader or dropper to initiate the RAT deployment.
SambaSpy, a Java-based RAT, comes equipped with a wide array of features, earning it the label of a “Swiss Army knife” malware.
The malware’s capabilities include file system management, process monitoring, remote desktop control, file transfers, webcam spying, keylogging, clipboard tracking, screenshot capture, and remote shell execution. Additionally, the malware is designed to load extra plugins at runtime, enhancing its functionalities. It can also steal sensitive credentials from web browsers like Chrome, Edge, Brave, and Vivaldi.
There are indications that the attackers may be expanding their operation to target users in Brazil and Spain. Infrastructure evidence points to domains targeting Brazilian users and language artefacts in the malware code supporting this hypothesis.
This attack highlights a growing trend of highly targeted phishing campaigns. Recent activity has shown similar malware strains like BBTok and Mekotio, which have been targeting users in Latin America. These phishing campaigns deliver banking trojans using sophisticated techniques to evade detection and steal sensitive data.
Security experts stress the importance of enhanced security measures, particularly as cybercriminals continue to evolve their tactics, targeting larger groups and using advanced methods to achieve their goals.
