Threat Research

“Exotic SambaSpy Now Engaging Italian Users”

SecureList

Researchers uncovered SambaSpy, a new Remote Access Trojan deployed in a May 2024 Italian-targeted campaign. The operation uses phishing, redirection through legitimate services, language checks, and obfuscation to ensure only Italian users are infected, with SambaSpy providing extensive RAT capabilities. #SambaSpy #FattureInCloud #OneDrive #BrazilianPortuguese #ItalianUsers #InvoicePhishing

Keypoints

  • Campaign exclusively targeting Italian users detected in May 2024.
  • Phishing emails appeared to be from a legitimate Italian real estate company.
  • Malicious links redirected users to a legitimate cloud service displaying a fake invoice.
  • Infection chain involved checks for Italian language settings and specific browsers.
  • SambaSpy RAT features include file management, keystroke logging, and remote desktop control.
  • Attackers showed connections to Brazil, indicated by language artifacts in the code.
  • Malware distribution relied on legitimate documents, with the targeted company being unrelated to the campaign.
  • Indicators of compromise include specific malicious domains and file hashes.

MITRE Techniques

  • [T1043] Remote Access Trojan – SambaSpy enables remote access and control. Quote: ‘Utilizes SambaSpy for remote access and control.’
  • [T1566] Phishing – Phishing emails crafted to appear legitimate to Italian users. Quote: ‘Phishing emails crafted to appear legitimate to Italian users.’
  • [T1071] Command and Control – Communicates with command and control servers for instructions and data exfiltration. Quote: ‘Communicates with command and control servers for instructions and data exfiltration.’
  • [T1003] Credential Dumping – Steals credentials from major web browsers. Quote: ‘Steals credentials from major web browsers.’
  • [T1027] Obfuscated Files or Information – Employs obfuscation techniques to hide malicious code and evade detection. Quote: ‘Employs obfuscation techniques to hide malicious code and evade detection.’

Indicators of Compromise

  • [Domain] context – belliniepecuniaimmobili[.]com, immobilibelliniepecunia[.]xyz, and other domains
  • [MD5 Hash] context – e6be6bc2f8e27631a7bfd2e3f06494aa, 1ec21bd711b491ad47d5c2ef71ff1a10
  • [URL] context – hxxps://1drv.ms/b/s!AnMKZoF8QfODa92x201yr0GDysk?e=ZnX3Rm, 66d68ce73c83226a.ngrok.app

Read more: https://securelist.com/sambaspy-rat-targets-italian-users/113851/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint