Follow on X RSS Feed
Malware

SambaSpy RAT Aims at Italian Targets in a Focused Phishing Attack

Cybersec Sentinel

2 min read
SambaSpy RAT Aims at Italian Targets in a Focused Phishing Attack

Threat Group: Suspected Brazilian Portuguese-speaking actors
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: None publicly listed, targets Italian users via phishing
Malware Used: SambaSpy (Java-based RAT, obfuscated with Zelix KlassMaster)
Threat Score: High (7.5/10) – Focused and highly targeted campaign with the potential for broader exploitation
Last Threat Observation: September 20, 2024, Kaspersky, SC Media

Overview

SambaSpy is a recently discovered Remote Access Trojan (RAT) that is primarily targeting Italian-speaking users through highly customized phishing campaigns. The malware is designed to infect devices after users interact with seemingly legitimate emails from a real estate company, leading to malicious links and downloads. First identified in May 2024, this campaign is believed to be a testing ground for more widespread attacks as it expands beyond Italy.

Key Details

  • Delivery Method: Phishing emails posing as real estate-related invoices or similar documents.
  • Target: Italian-speaking users; the malware ensures system language and browser settings meet specific criteria before executing.
  • Functions:
    • Remote file system and process control
    • Keylogging
    • Webcam access
    • Credential theft (including browser-stored passwords)
    • Screenshot capture
    • Remote shell access and desktop control
  • Obfuscation: Uses Zelix KlassMaster, making it harder to detect and analyze.

Attack Vectors

The attack begins with a phishing email that contains a link to what appears to be a legitimate invoice. Once clicked, users are directed to a malicious link hosted on OneDrive or other legitimate-looking platforms. The malware only activates if certain conditions are met, such as the system being set to Italian and using browsers like Chrome, Edge, or Firefox. SambaSpy has two infection methods: a dropper that installs the malware directly, or a downloader that pulls the necessary components from the attacker’s servers.

Known Indicators of Compromise (IoCs)

File Hashes (MD5)

  • e6be6bc2f8e27631a7bfd2e3f06494aa
  • 1ec21bd711b491ad47d5c2ef71ff1a10
  • d153006e00884edf7d48b9fe05d83cb4
  • 0f3b46d496bbf47e8a2485f794132b48

File Hashes (SHA1)

  • 28911b5edd5235db1119acd2e09349320d665b88
  • 73ce7c32ab8ce157b968eb49c4655f9d98926b71
  • ba17cba48578e8febf2591f9157b37652108f89a
  • c7fd7a4d33469f33f1986f20b8d638e77e4d3768

File Hashes (SHA256)

  • 43f86b6d3300050f8cc0fa83948fbc92fc69af546f1f215313bad2e2a040c0fa
  • 49bbfac69ca7633414172ec07e996d0dabd3f7811f134eecafe89acb8d55b93a
  • 9948b75391069f635189c5c5e24c7fafd88490901b204bcd4075f72ece5ec265
  • d3effd483815a7de1e1288ab6f4fb673b44a129386ef461466472e22140d47f8

Domains

  • officediraccoltaanabelacosta[.]net
  • belliniepecuniaimmobili[.]com
  • belliniepecuniaimmobili.com[.]br
  • belliniepecuniaimmobilisrl[.]online
  • belliniepecuniaimmobilisrl[.]shop
  • belliniepecuniaimmobilisrl[.]xyz
  • bpecuniaimmobili[.]online
  • bpecuniaimmobili[.]info
  • bpecuniaimmobili[.]xyz
  • immobiliarebelliniepecunia[.]info
  • immobiliarebelliniepecunia[.]online
  • immobilibelliniepecunia[.]me
  • immobilibelliniepecunia[.]online
  • immobilibelliniepecunia[.]shop
  • immobilibelliniepecunia[.]site
  • immobilibelliniepecunia[.]xyz
  • lamsnajs[.]site
  • appsabs[.]site
  • qpps[.]site
  • lskbd[.]site
  • serverakp[.]site
  • wedmail[.]site

URLs

  • hxxps://1drv[.]ms/b/s!AnMKZoF8QfODa92x201yr0GDysk?e=ZnX3Rm
  • hxxps://moduloj.lamsnajs[.]site/Modulo32.jpg

Mitigation and Prevention

  1. User Awareness: Training users to recognize phishing attempts, especially unsolicited invoices or documents.
  2. Email Filtering: Implement robust email filtering to block suspicious attachments and URLs.
  3. Antivirus Protection: Ensure that all endpoints are protected by up-to-date antivirus software that can detect and block the SambaSpy RAT.
  4. Two-Factor Authentication (2FA): Use 2FA for critical accounts to prevent unauthorized access.
  5. Monitor Logs: Set up detection rules for unusual file downloads or process executions, particularly around Java-based applications.
  6. Regular Updates: Keep all software, especially browsers, and operating systems, up to date with the latest security patches.

Conclusion

The SambaSpy RAT highlights the evolving sophistication of cyber-attacks, particularly through highly targeted phishing campaigns. While its current scope is limited to Italian-speaking users, the underlying techniques suggest potential global spread. Organizations should remain vigilant, enhance their phishing defenses, and adopt security best practices to mitigate this growing threat.

Podcast Discussion

 

audio-thumbnail
SambaSpy RAT Aims at Italian Targets in a Focused Phishing Attack Podcast
0:00
/625.64

Sources:

  1. SC Media - New SambaSpy malware spread in phishing campaign
  2. Cyclonis - SambaSpy Malware Piggybacks on a Phishing Campaign
  3. Securelist - Exotic SambaSpy is now dancing with Italian users
  4. OTX - SambaSpy Malware Targets Italian Users