SambaSpy Malware Campaign Targets Italian Users with Precision
On September 18, 2024, GREAT research team released a report on a campaign identified in May 2024, where a highly targeted malware campaign exclusively aimed at Italian users was uncovered by the Global Research & Analysis Team (GReAT).
On September 18, 2024, GREAT research team released a report on a campaign identified in May 2024, where a highly targeted malware campaign exclusively aimed at Italian users was uncovered by the Global Research & Analysis Team (GReAT). Unlike typical cybercriminal efforts, which often cast a wide net across multiple countries to maximize profits, this campaign stood out due to its deliberate focus on Italy, with the attackers going to great lengths to ensure that only Italian systems were infected. The campaign, delivering a Remote Access Trojan (RAT) dubbed SambaSpy, highlights a new trend in precision-targeted cybercrime, adding a notable element of sophistication.
Introduction
Investigations revealed two variations of the infection chain, but the more elaborate second variant involved the use of phishing emails crafted to appear as though they originated from a legitimate Italian real estate company. These emails, written in Italian, directed recipients to click on a link to view an invoice. This link redirected victims to FattureInCloud, a legitimate Italian service used for managing digital invoices. However, users with their browser language set to Italian were then redirected to a malicious server running on the ngrok platform, leading them down the path of infection.
The malware's design was methodical, ensuring that only Italian systems were compromised by performing multiple checks. It first verified the user's browser language and browser type, with the infection proceeding only if conditions were met (i.e., if the user was running Edge, Chrome, or Firefox with their language set to Italian). Users who met the criteria were then taken to a OneDrive-hosted PDF document, which contained a malicious link leading to a JAR file hosted on MediaFire.
This JAR file, which served as a downloader or dropper, executed additional checks to ensure it was running on an Italian system before downloading the final payload — SambaSpy.
Report Overview
SambaSpy, written in Java and obfuscated using the Zelix KlassMaster protector, is a full-featured RAT capable of performing a wide range of malicious activities. Key functionalities include:
- File system and process management
- Webcam control and screenshot capturing
- Keystroke logging
- Password theft from major browsers (Chrome, Edge, Opera, Brave, and others)
- Remote desktop control
SambaSpy also includes a plugin-loading mechanism, allowing the RAT to extend its capabilities by downloading additional malware or tools as needed. The RAT’s focus on hiding its operations through advanced obfuscation techniques makes it challenging for security tools to detect and analyze.
While the precise identity of the threat actors behind this campaign remains unknown, several indicators point to a Brazilian-Portuguese-speaking group. Comments and error messages within the malware were written in Brazilian Portuguese, and there is evidence that the attackers have launched similar campaigns targeting users in Brazil and Spain.
Interestingly, this campaign relied heavily on repurposing legitimate resources, such as the FattureInCloud service and the brand of the Italian real estate company. Over a dozen malicious domains were registered by the attackers, mimicking the legitimate company’s domain name to lend credibility to their phishing emails.
Insights and Analysis
This campaign highlights the increasing sophistication of modern cybercriminals, particularly in their ability to craft malware that targets victims based on specific geographic and language criteria. The Italian focus is particularly noteworthy, as the attackers tailored their phishing emails, redirections, and malware checks to ensure that only Italian users were affected.
Preventative Measures:
- User Awareness: Organizations should raise awareness about the specific tactics used in this campaign, such as phishing emails and legitimate-looking redirections.
- Language-Specific Threat Detection: Security solutions should be configured to monitor for suspicious activity based on language settings, particularly for users in targeted regions.
- Patch and Update Systems: Regularly updating software and using security patches can prevent many vulnerabilities from being exploited by attackers.
- Reviewing Suspicious Links: Users should be encouraged to review URLs carefully, especially when dealing with invoices or documents from unfamiliar sources.
This campaign serves as a reminder of the need for region-specific defenses and the growing importance of detecting geographically targeted cyberattacks. Staying informed about these emerging trends is critical in protecting individuals and organizations from sophisticated threats like SambaSpy.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
e6be6bc2f8e27631a7bfd2e3f06494aa | File Hash | Malicious PDF file |
1ec21bd711b491ad47d5c2ef71ff1a10 | File Hash | Downloader associated with SambaSpy campaign |
d153006e00884edf7d48b9fe05d83cb4 | File Hash | Dropper used in the infection chain |
0f3b46d496bbf47e8a2485f794132b48 | File Hash | SambaSpy RAT |
hxxps://1drv[.]ms/b/s!AnMKZoF8QfODa92x201yr0GDysk?e=ZnX3Rm | URL | Malicious OneDrive URL hosting the PDF |
belliniepecuniaimmobili[.]com | Domain Name | Domain used to distribute malware |
immobilibelliniepecunia[.]xyz | Domain Name | Domain used to distribute malware |
immobilibelliniepecunia[.]online | Domain Name | Domain used to distribute malware |
bpecuniaimmobili[.]info | Domain Name | Domain used to distribute malware |
MITRE ATT&CK TTPs
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing: Spearphishing Attachment | T1566.001 | Attackers used phishing emails with malicious links to gain access |
| Execution | User Execution: Malicious File | T1204.002 | The campaign relied on users clicking malicious links to trigger infection |
| Defense Evasion | Obfuscated Files or Information | T1027 | SambaSpy was obfuscated using Zelix KlassMaster to avoid detection |
| Collection | Input Capture: Keylogging | T1056.001 | SambaSpy logged keystrokes using the JNativeHook library |
| Collection | Clipboard Data | T1115 | SambaSpy stole clipboard data |
| Credential Access | Credentials from Web Browsers | T1555.003 | SambaSpy stole credentials from major browsers |
| Command and Control | Application Layer Protocol | T1071.001 | Communication with Command and Control (C2) via HTTP-based protocols |
| Remote Control | Remote Desktop Protocol | T1021.001 | SambaSpy used custom remote desktop control to manage victim systems |
References
GReAT
Comments ()