SambaSpy Using Weaponized PDF Files to Attack Windows Users

SambaSpy Attacking Windows Users With Weaponized PDF FilesResearchers discovered a targeted cybercrime campaign in May 2024 that exclusively focused on Italian victims, which was unusual as attackers typically aim for broader targets to increase profits. 

However, this campaign implemented checks at different stages of the infection chain to ensure only Italian users were affected, which prompted to investigate further, leading to the discovery of a new remote access Trojan (RAT) named SambaSpy, delivered as the final payload.

The attackers used a spearphishing email with a fake invoice from a legitimate Italian real estate company to trick users into clicking on a malicious link. 

The link redirected users to a website that looked like a legitimate invoice storage website, but it then redirected Italian users who were using Edge, Firefox, or Chrome to a malicious OneDrive URL. Finally, the URL redirected users to a malicious JAR file hosted on MediaFire.

This malware employs a two-stage delivery process, where the initial downloader verifies it’s not running in a virtualized environment and ensures the system locale is Italian. If checks pass, it retrieves the final payload, likely another malicious executable. 

The dropper, embedded within the downloader’s resources, performs identical checks but carries the final payload itself, eliminating the need for additional network communication.

Once checks pass, both the downloader and dropper execute the embedded payload, completing the infection. 

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

SambaSpy, a Java-based RAT employs Zelix KlassMaster to obfuscate its strings, class names, and methods, hindering analysis and detection. 

Its extensive feature set includes file system and process management, file transfers, webcam control, keylogging, clipboard manipulation, screenshot capture, remote desktop control, password theft, plugin loading, remote shell execution, and victim interaction. 

The plugin loading mechanism is straightforward, involving class loading via URLClassLoader to access downloaded files and subsequent URL addition.

A remote access Trojan employs the JNativeHook library to capture and transmit keystrokes to a command-and-control server.

Additionally, it leverages Java’s Abstract Window Toolkit to steal or manipulate clipboard content. 

The RAT is capable of extracting credentials from various web browsers, including Chrome, Edge, Opera, Brave, Iridium, and Vivaldi. 

SambaSpy implements a custom remote control system, utilizing the Robot class to simulate mouse and keyboard actions and the GraphicsDevice class to provide a visual representation of the victim’s screen to the attacker.

The threat actor behind the campaign is currently unidentified. However, based on the language used in the malicious artifacts and websites, it is believed to be a Brazilian Portuguese speaker. 

While initially targeting Italy, the actor has expanded their activities to Spain and Brazil. The attacker’s interest in Italian targets is evident in the language checks implemented in the infection chain. 

According to Secure List, the use of multiple domains for managing and distributing different variants of the downloader suggests a well-organized and persistent threat actor.

The attackers launched a targeted campaign against Italian users, leveraging a legitimate document to distribute malware using obfuscation techniques and reused infrastructure domains to evade detection. 

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial