Cybersecurity researchers have recently uncovered a previously undocumented malware known as SambaSpy. This sophisticated malware has been observed targeting Italian users through a phishing campaign believed to be operated by Brazilian Portuguese-speaking threat actors. Unlike most cybercriminal operations that aim for large-scale attacks, the SambaSpy campaign is notably concentrated on a single country—Italy—suggesting that the attackers are testing their tools before potentially expanding their activities elsewhere.
Targeting Italian Users
According to a report from Kaspersky, the SambaSpy malware is distributed through a phishing campaign that relies on two distinct infection chains. In one case, the malicious link redirects users to a legitimate invoice hosted on FattureInCloud (an Italian invoicing service), if the user is not the intended target. However, if the user meets the attack criteria, they are directed to a malicious web server containing an HTML page with comments written in Brazilian Portuguese.
For the attack to proceed, the victim must be using a web browser like Microsoft Edge, Firefox, or Chrome, with their language settings configured to Italian. If these conditions are met, the target is shown a PDF document hosted on Microsoft OneDrive. This document contains a hyperlink that leads to a malicious JAR file hosted on MediaFire, which either downloads or drops the SambaSpy malware onto the victim's machine.
The Multi-functional SambaSpy RAT
SambaSpy is a powerful remote access trojan (RAT) developed in Java, with a wide range of capabilities. Once installed, it can perform various malicious tasks, including:
- File system management
- Process management
- Remote desktop access
- File uploads and downloads
- Webcam control
- Keylogging and clipboard tracking
- Screenshot capture
- Remote shell access
The malware is also capable of loading additional plugins, allowing attackers to extend its functionalities as needed. It is particularly dangerous as it is designed to steal credentials from popular web browsers, including Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.
Threat Actor Connections to Brazil
Evidence from the attack infrastructure suggests that the operators behind SambaSpy are expanding their reach to Brazil and Spain, indicating an upcoming operational expansion. The presence of Brazilian Portuguese in the code and certain domain names targeting Brazilian users further points to the attackers' connections to Brazil.
According to Kaspersky, this targeted approach fits a pattern where Latin American cybercriminals often focus on European countries with languages similar to their own, such as Italy, Spain, and Portugal.
New BBTok and Mekotio Campaigns Target Latin America
In a separate but related trend, Trend Micro has observed an increase in cyberattacks delivering banking trojans like BBTok, Grandoreiro, and Mekotio, which are primarily targeting the Latin American region. These campaigns are propagated through phishing scams that exploit business transactions and judicial-related themes to deceive users.
BBTok Campaign Techniques
BBTok infections usually begin with phishing emails that contain malicious links leading to downloadable ZIP or ISO files. These archives contain LNK files that initiate the infection process. The attackers exploit legitimate tools, such as MSBuild.exe, to run malicious code stealthily, making it difficult for traditional security systems to detect the attack. Once the LNK file is executed, it triggers the MSBuild.exe binary to load a hidden malicious XML file that, in turn, uses the rundll32.exe utility to launch the BBTok trojan.
Mekotio's Enhanced Evasion Tactics
Mekotio, another banking trojan targeting Latin America, has adopted new techniques to evade detection, including using an obfuscated PowerShell script. Like BBTok, Mekotio starts its infection chain with phishing emails that direct victims to fake websites. These sites deliver a ZIP archive containing a batch file that runs a PowerShell script, which then downloads and launches the trojan using an AutoHotKey script.
Before proceeding, the malware conducts reconnaissance to ensure the target resides in one of the intended countries. This geographical filtering helps the attackers focus their efforts on Latin American victims.
Urgent Need for Enhanced Cybersecurity
The resurgence of banking trojans like BBTok and Mekotio highlights the increasingly sophisticated tactics employed by cybercriminals in Latin America. With phishing scams becoming more complex and targeted, users must adopt enhanced cybersecurity measures to protect their sensitive financial information.
Both the SambaSpy campaign in Europe and the recent banking trojan activity in Latin America underscore the growing global threat posed by advanced phishing and malware techniques.
.jpg)
