Tuesday, December 24, 2024
Homecyber securitySambaSpy Using Weaponized PDF Files to Attack Windows Users

SambaSpy Using Weaponized PDF Files to Attack Windows Users

Published on

SIEM as a Service

SambaSpy Attacking Windows Users With Weaponized PDF FilesResearchers discovered a targeted cybercrime campaign in May 2024 that exclusively focused on Italian victims, which was unusual as attackers typically aim for broader targets to increase profits. 

However, this campaign implemented checks at different stages of the infection chain to ensure only Italian users were affected, which prompted to investigate further, leading to the discovery of a new remote access Trojan (RAT) named SambaSpy, delivered as the final payload.

SambaSpy infection chain 2
SambaSpy infection chain 2

The attackers used a spearphishing email with a fake invoice from a legitimate Italian real estate company to trick users into clicking on a malicious link. 

- Advertisement - SIEM as a Service

The link redirected users to a website that looked like a legitimate invoice storage website, but it then redirected Italian users who were using Edge, Firefox, or Chrome to a malicious OneDrive URL. Finally, the URL redirected users to a malicious JAR file hosted on MediaFire.

This malware employs a two-stage delivery process, where the initial downloader verifies it’s not running in a virtualized environment and ensures the system locale is Italian. If checks pass, it retrieves the final payload, likely another malicious executable. 

The dropper, embedded within the downloader’s resources, performs identical checks but carries the final payload itself, eliminating the need for additional network communication.

Once checks pass, both the downloader and dropper execute the embedded payload, completing the infection. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The downloader
The downloader

SambaSpy, a Java-based RAT employs Zelix KlassMaster to obfuscate its strings, class names, and methods, hindering analysis and detection. 

Its extensive feature set includes file system and process management, file transfers, webcam control, keylogging, clipboard manipulation, screenshot capture, remote desktop control, password theft, plugin loading, remote shell execution, and victim interaction. 

The plugin loading mechanism is straightforward, involving class loading via URLClassLoader to access downloaded files and subsequent URL addition.

Loading plugins
Loading plugins

A remote access Trojan employs the JNativeHook library to capture and transmit keystrokes to a command-and-control server.

Additionally, it leverages Java’s Abstract Window Toolkit to steal or manipulate clipboard content. 

The RAT is capable of extracting credentials from various web browsers, including Chrome, Edge, Opera, Brave, Iridium, and Vivaldi. 

SambaSpy implements a custom remote control system, utilizing the Robot class to simulate mouse and keyboard actions and the GraphicsDevice class to provide a visual representation of the victim’s screen to the attacker.

Stealing browser credentials
Stealing browser credentials

The threat actor behind the campaign is currently unidentified. However, based on the language used in the malicious artifacts and websites, it is believed to be a Brazilian Portuguese speaker. 

While initially targeting Italy, the actor has expanded their activities to Spain and Brazil. The attacker’s interest in Italian targets is evident in the language checks implemented in the infection chain. 

According to Secure List, the use of multiple domains for managing and distributing different variants of the downloader suggests a well-organized and persistent threat actor.

The attackers launched a targeted campaign against Italian users, leveraging a legitimate document to distribute malware using obfuscation techniques and reused infrastructure domains to evade detection. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Latest articles

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...