A sophisticated malware campaign exclusively targeting Italian users has been discovered by Kaspersky’s Global Research and Analysis Team (GReAT). The campaign involves the distribution of a new Remote Access Trojan (RAT) —dubbed SambaSpy by the researchers— featuring capabilities such as file system management, webcam control, password theft and remote desktop management.
Unlike most malware attacks that cast a wide net across multiple countries and languages, the SambaSpy campaign stands out for its precise targeting. The malware has been engineered to infect only users whose systems are set to Italian, ensuring the maximum likelihood of success in this region. According to Kaspersky’s telemetry, this campaign began in May 2024 and shows no signs of slowing down.
“We were surprised by the narrow targeting of this attack,” comments Giampaolo Dedola, senior cybersecurity researcher at Kaspersky’s GReAT. “Typically, cybercriminals aim to infect as many users as possible, but SambaSpy’s infection chain includes specific checks to ensure that only Italian users are affected.”
Kaspersky identified two slightly different infection chains used in the campaign. One particularly elaborate infection method begins with a phishing email, appearing to come from a legitimate Italian real estate company. The email prompts users to view an invoice by clicking an embedded link. This link redirects users to a legitimate Italian cloud service used for managing invoices.
However, certain users are instead redirected to a malicious web server, where the malware validates browser and language settings. If the user is running Edge, Firefox, or Chrome with Italian language settings, they are directed to a malicious OneDrive URL containing a harmful PDF. This initiates the download of either a dropper or downloader, which both eventually deliver the SambaSpy RAT.
SambaSpy is a fully-featured RAT written in Java and obfuscated using Zelix KlassMaster. This advanced malware can perform a range of malicious activities, including:
- File system and process management
- Webcam control
- Keystroke logging and clipboard manipulation
- Remote desktop management
- Password theft from major browsers like Chrome, Edge, and Opera
- The uploading and downloading of files
- The ability to load additional plugins at runtime
SambaSpy’s plugin-loading mechanism and use of libraries like JNativeHook demonstrate the level of sophistication employed by the attackers.
Though the primary target is Italian users, Kaspersky researchers have identified strong links to Brazil. Comments and error messages within the malicious code are written in Brazilian Portuguese, suggesting that the threat actor behind the attacks could be Brazilian. Furthermore, the infrastructure used in the campaign has been linked to other attacks in Brazil and Spain, although the infection tools in these regions differ slightly from those used in Italy.
More information on rising cyberthreats will be unveiled at the upcoming Security Analyst Summit (SAS), taking place on October 22 – 25. Make sure to secure your spot to learn about the latest trends of the threat landscape.
Please read the full report on SambaSpy on Securelist.
To maximize your organization’s security, Kaspersky recommends:
- Do not expose remote desktop services, such as RDP, to public networks unless absolutely necessary, and always use strong passwords.
- Make sure your commercial VPN and other server-side software solutions are always up to date, as exploitation of this type of software is a common ransomware infection vector. Always keep client-side applications up to date.
- Focus your defense strategy on detecting lateral movements and data exfiltration to the internet. Pay special attention to outgoing traffic to detect cybercriminal connections. Back up data regularly. Make sure you can quickly access it in an emergency. Use the latest Threat Intelligenceinformation to stay up to date on the latest TTPs used by threat actors.
- Use Managed Detection and Responseservices to help identify and stop an attack in the early stages, before the attackers achieve their ultimate goals.
- To protect the corporate environment, educate your employees. Dedicated training courses can help, such as those provided in the Kaspersky Automated Security Awareness Platform.
- Use complex security solutions, combining endpoint protection and automated incident response features, such as Kaspersky NEXT.