September 19, 2024 at 10:30AM
A new malware called SambaSpy targets Italian users through phishing. It uses HTML attachments or links to deploy a multi-functional RAT payload. The attack chains involve redirecting to a legitimate invoice or a malicious web server. SambaSpy can perform various functions, such as managing files, remote desktop, keylogging, and stealing browser credentials. The threat actor is also targeting Brazil and Spain. Additionally, there is a surge in banking trojan campaigns targeting Latin America using phishing scams that utilize business and judicial related transactions as lures. These trojans have grown adept at evading detection and stealing sensitive information.
Based on the meeting notes, the key takeaways are:
1. A new malware named SambaSpy is targeting Italian users through a phishing campaign by a suspected Brazilian Portuguese-speaking threat actor. The attackers are currently focusing on Italy but may expand to other countries in the future.
2. The attack begins with a phishing email containing either an HTML attachment or an embedded link, leading to the installation of the malware.
3. SambaSpy, a Java-based remote access trojan, can execute various functions including file system management, process management, remote desktop management, file upload/download, webcam control, keylogging, and clipboard tracking. It is also designed to steal credentials from web browsers.
4. The threat actor behind the campaign is showing signs of targeting Brazil and Spain in addition to Italy, indicating an operational expansion.
5. Separate from SambaSpy, there are recent warnings about banking trojans such as BBTok and Mekotio targeting the Latin American region through phishing scams using business and judicial transactions as lures. These trojans have grown increasingly adept at evading detection and stealing sensitive information.
6. Both malware campaigns highlight the need for enhanced cybersecurity measures against advanced phishing scams and malware targeting specific regions.