- SambaSpy is a new malware targeting only Italian users through phishing emails.
- Attackers used real estate company brands to disguise their phishing schemes.
- SambaSpy includes advanced spying features like keystroke logging and remote desktop control
In May 2024, Kaspersky researchers discovered a cybercrime campaign solely targeting Italy.
While most cybercriminals cast their nets far and wide in search of as many unsuspecting victims as possible, the masterminds behind this campaign, known as SambaSpy, decided to go all in on their Italian fixation.
Why the Italian-only approach? A good question.
It has a two-step infection process that is as Italian as pasta. In the more complex of the two schemes, the victim receives an email from a German address.
Apparently, nothing says “trustworthy” like a German email written in Italian.
Although despite the email’s origin, threat actors made it appear to be legitimate, as it resembles a well-known Italian real estate company.
The email tricked the victim into clicking an embedded link to view an invoice, which led them to FattureInCloud, an actual Italian cloud service.
That is, assuming the target is not in Italy. However, if they are Italian, they are directed to a malicious web server running on ngrok.
SambaSpy’s infection chain includes checks to ensure the target is using the Italian language in their browser—whether Edge, Firefox, or Chrome.
If they pass, they’re taken to a malicious OneDrive URL and invited to view a supposed “document”.
Clicking on this link installs a malicious JAR file on their system, either a downloader or a dropper, both laced with the SambaSpy payload.
Now, SambaSpy isn’t your average malware. This Remote Access Trojan (RAT) is Java-based and highly obfuscated, making it difficult for antivirus software to detect.
Subscribe to our newsletter
It includes file management, webcam control, keystroke logging, and remote desktop management.
If you’re Italian and become infected, this RAT can steal your passwords, control your mouse, and view your screen. SambaSpy does it all and isn’t shy about it.
The attackers remain anonymous, but the code’s Brazilian Portuguese suggests a South American connection.
They’ve also been seen targeting Spain and Brazil, albeit without the same Italian obsession.
The campaign cleverly uses the brand of an Italian real estate company to make itself appear legitimate, despite the fact that the company is completely uninvolved.
Threat actors also constantly change their obfuscation and phishing tactics, making it difficult to track them down.