Researchers have uncovered a sophisticated cybercrime campaign targeting Italian victims with a new remote access Trojan (RAT) named SambaSpy, which was distributed through weaponized PDF files in May 2024. This campaign, unlike traditional cyber attacks aimed at broader targets, concentrated solely on Italian users, demonstrating a unique strategy by the attackers.
The attackers initiated the attack by sending spearphishing emails to Italian users, presenting them with a fake invoice from a legitimate Italian real estate company. Upon clicking on a malicious link in the email, users were redirected to a website that appeared to be a legitimate invoice storage platform. Subsequently, users of browsers like Edge, Firefox, or Chrome were led to a malicious OneDrive URL, eventually directing them to a dangerous JAR file hosted on MediaFire.
The distribution of malware was executed through a two-stage delivery process, where the initial downloader conducted checks to ensure the system locale was Italian and that it was not running in a virtualized environment. If these checks were successful, the final payload, likely another malicious executable, was retrieved and executed.
Furthermore, the embedded dropper within the downloader also performed similar checks and delivered the final payload independently, eliminating the need for additional network communication and enhancing the stealth of the malware.
SambaSpy, the Java-based RAT, utilized the Zelix KlassMaster to obfuscate its strings, class names, and methods, making it challenging for security analysts to analyze and detect. The RAT boasted an extensive range of features, including file system and process management, file transfers, webcam control, keylogging, clipboard manipulation, screenshot capture, remote desktop control, password theft, plugin loading, remote shell execution, and victim interaction.
The malware’s ability to load plugins for additional functionality involved class loading via URLClassLoader to access downloaded files and incorporate new URLs. Moreover, the RAT leveraged the JNativeHook library to capture and transmit keystrokes to a command-and-control server and exploited Java’s Abstract Window Toolkit to steal or manipulate clipboard content.
SambaSpy was also capable of extracting credentials from various web browsers, such as Chrome, Edge, Opera, Brave, Iridium, and Vivaldi. The remote control system implemented by the malware used the Robot class to simulate mouse and keyboard actions and the GraphicsDevice class to provide the attacker with a visual representation of the victim’s screen.
Although the identity of the threat actor behind this campaign remains unknown, linguistic analysis suggests that the individual may be a Brazilian Portuguese speaker. While initially focused on Italian targets, the attacker has expanded their activities to include Spain and Brazil. The usage of multiple domains for managing and distributing different variants of the downloader indicates a high level of organization and persistence on the part of the threat actor.
In conclusion, the targeted cyberattack against Italian users highlights the evolving tactics and techniques employed by cybercriminals to evade detection and compromise victims. It is crucial for organizations and users to stay vigilant and adopt robust cybersecurity measures to mitigate the risks posed by such sophisticated threats.