Through a phishing effort, a previously unreported malware known as SambaSpy is targeting victims only in Italy. The threat actor behind the campaign is thought to be Brazilian Portuguese-speaking.
“Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country,” Kaspersky said in a new analysis. “It’s likely that the attackers are testing the waters with Italian users before expanding their operation to other countries.”
A phishing email that either contains an HTML attachment or an embedded link that starts the infection process is where the assault begins. If the HTML attachment is opened, the multifunctional RAT payload is deployed and launched using a ZIP archive that contains a temporary downloader or dropper.
The downloader bears the responsibility of retrieving the malicious software from a distant server. In contrast, the dropper performs the same function but extracts the payload from the archive rather than obtaining it from a different source.
If the user clicks on the booby-trapped link in the second infection chain, they are taken to a genuine invoice hosted on FattureInCloud, even though they are not the intended target. This makes the second infection chain much more complex.
In a different scenario, the victim lands on a malicious web server that offers an HTML page with JavaScript code that includes Brazilian Portuguese comments when they click on the same URL.
“It redirects users to a malicious OneDrive URL but only if they are running Edge, Firefox, or Chrome with their language set to Italian,” the Russian cybersecurity vendor said. “If the users don’t pass these checks, they stay on the page.”
When a user satisfies these conditions, they are sent to a malicious JAR file housed on MediaFire that contains either the downloader or the dropper, as previously mentioned. The user is then given the option to view the PDF document hosted on Microsoft OneDrive by clicking on a hyperlink.
SambaSpy is a Java-based remote access trojan with extensive features. It can perform various tasks such as file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, screenshot capture, and remote shell. All in all, it’s practically a Swiss Army knife trojan.
In order to expand its capabilities as needed, it can also load further plugins at runtime by opening a file that was previously downloaded by the RAT to the disk. Furthermore, it is made to steal login information from web browsers like Vivaldi, Chrome, Edge, Opera, Brave, and Iridium.
Evidence from infrastructure points to an operational expansion by the threat actor behind the campaign, suggesting that they are also targeting Brazil and Spain.
“There are various connections with Brazil, such as language artifacts in the code and domains targeting Brazilian users,” Kaspersky said. “This aligns with the fact that attackers from Latin America often target European countries with closely related languages, namely Italy, Spain, and Portugal.”
New BBTok and Mekotio Campaigns Target Latin America
This discovery occurs weeks after Trend Micro issued a warning about an increase in campaigns spreading banking trojans, including BBTok, Grandoreiro, and Mekotio, to the Latin American region through phishing scams that use transactions pertaining to businesses and the legal system as bait.
Mekotio “employs a new technique where the trojan’s PowerShell script is now obfuscated, enhancing its ability to evade detection.” The business made note of BBTok’s usage of phishing links to download ZIP or ISO packages that include LNK files, which serve as an infection trigger, in its statement.
The genuine MSBuild.exe binary, which is contained in the ISO image, is launched using the LNK file to proceed to the next stage. After loading a malicious XML file that is likewise concealed within the ISO archive, it uses rundll32.exe to start the BBTok DLL payload.
“By using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading detection,” Trend Micro noted.
Mekotio-related attack chains begin with a malicious URL in a phishing email that, when clicked, takes the victim to a fake website that sends a ZIP archive containing a batch file designed to launch a PowerShell script.
The PowerShell script performs a reconnaissance of the victim environment to verify that it is, in fact, located in one of the targeted countries before acting as a second-stage downloader to launch the trojan using an AutoHotKey script.
“More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and carry out unauthorized banking transactions underscores the urgent need for enhanced cybersecurity measures against increasingly advanced methods employed by cybercriminals,” Trend Micro researchers said.
“These trojans [have] grown increasingly adept at evading detection and stealing sensitive information while the gangs behind them become bolder in targeting larger groups for more profit.”
Also read: Automation in Oil and Gas: Horizons and Expectations for the Next 5 Years
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
