Mumbai: A new Remote Access Trojan (RAT) —dubbed as SambaSpy trojan has been found exclusively targeting Italian users, revealed Kaspersky’s Global Research and Analysis Team (GReAT).
Kaspersky’s researchers have discovered a sophisticated malware campaign exclusively targeting Italian users. The campaign involves the distribution of a new RAT called the SambaSpy trojan by researchers has capabilities such as file system management, webcam control, password theft and remote desktop management.
Unlike most malware attacks that cast a wide net across multiple countries and languages, the SambaSpy campaign stands out for its precise targeting. The malware has been engineered to infect only users whose systems are set to Italian, ensuring the maximum likelihood of success in this region. According to Kaspersky’s telemetry, this campaign began in May 2024 and shows no signs of slowing down.
“We were surprised by the narrow targeting of this attack. Typically, cybercriminals aim to infect as many users as possible, but SambaSpy’s infection chain includes specific checks to ensure that only Italian users are affected,” said Giampaolo Dedola, Senior Cybersecurity Researcher at Kaspersky’s GReAT.
Kaspersky identified two slightly different infection chains used in the campaign. One particularly elaborate infection method begins with a phishing email, appearing to come from a legitimate Italian real estate company. The email prompts users to view an invoice by clicking an embedded link. This link redirects users to a legitimate Italian cloud service used for managing invoices.
However, certain users are instead redirected to a malicious web server, where the malware validates browser and language settings. If the user is running Edge, Firefox, or Chrome with Italian language settings, they are directed to a malicious OneDrive URL containing a harmful PDF. This initiates the download of either a dropper or downloader, which both eventually deliver the SambaSpy RAT.
SambaSpy trojan is a fully-featured RAT written in Java and obfuscated using Zelix KlassMaster.
This advanced malware can perform a range of malicious activities, including file system and process management, webcam control, keystroke logging and clipboard manipulation, remote desktop management, password theft from major browsers like Chrome, Edge, and Opera, uploading and downloading of files and the ability to load additional plugins at runtime.
SambaSpy’s plugin-loading mechanism and use of libraries like JNativeHook demonstrate the level of sophistication employed by the attackers.
Though the primary target is Italian users, Kaspersky researchers have identified strong links to Brazil. Comments and error messages within the malicious code are written in Brazilian Portuguese, suggesting that the threat actor behind the attacks could be Brazilian.
Furthermore, the infrastructure used in the campaign has been linked to other attacks in Brazil and Spain, although the infection tools in these regions differ slightly from those used in Italy.