Virus descriptions, 23.09.2024, 11:00 AM
SambaSpy is a RAT, a Trojan that provides attackers with remote access to infected devices, which was first noticed in May of this year when it was used in a campaign that targeted users exclusively in Italy.
SambaSpy is a feature-rich RAT trojan disguised using Zelix KlassMaster, which makes malware detection and analysis significantly more difficult. However, Kaspersky’s team of researchers is analyzing SambaSpy revealed that this new RAT is capable of managing the system and processes, downloading and uploading files, controlling the webcam, taking screenshots, stealing passwords, loading plugins, remotely controlling the infected device, logging keystrokes, etc.
Cybercriminals usually try to cast a wide net to make as much money as possible, but those who first used this malware in May were focused on just one country. Researchers assume that the reason for this is the intention of cybercriminals to test the malware on a limited group of users before expanding their “business” to other countries.
Like many other RATs, this one is spread through emails. The attackers used two primary infection chains, both of which involved phishing emails from real estate agencies. A key element in the emails is an invitation to verify the invoice by clicking on a link that redirects users to a website that checks the system language and browser being used. If a potential victim’s operating system is set to a specific language and the victim opens the link in Edge, Firefox, or Chrome, they receive a malicious PDF file that infects the device using a dropper or downloader. The difference between them is minimal: the dropper immediately installs the Trojan, while the downloader first downloads the necessary components from the attacker’s server.
Before starting, both the loader and the dropper check whether the system is running on the virtual machine, as well as the language of the OS. If both conditions are met, the device is infected.
Users who do not meet these criteria are redirected to the FattureInCloud website, an Italian cloud solution for storing and managing digital invoices. This allows attackers to target only a specific audience – everyone else is redirected to a legitimate website.
Who is behind SambaSpy is currently unclear, but circumstantial evidence suggests that the attackers speak Brazilian Portuguese. It is also known that the same attackers are already expanding their operations to Spain and Brazil, and that the new campaigns no longer include language checks.
How to protect yourself from SambaSpy?
Researchers say a key detail in this story is the method of infection, which suggests that anyone, anywhere in the world, speaking any language, could be a target for the next campaign. For the attackers, it doesn’t matter who the victim is, nor are the details in the emails they send important. Today it could be an estate agency invoice, tomorrow a tax notice, and the day after that airline tickets or travel vouchers. So always be careful with phishing emails and before you click on a link in an email, stop for a moment and ask yourself if it could be a scam.
Photo: Sebastian Molina photography | Unsplash
Source: www.informacija.rs
