Introduction
In May 2024, we detected a campaign exclusively targeting victims in Italy. We were rather surprised by this, as cybercriminals typically select a broader target to maximize their profits. For example, a certain type of malware might target users in France and Spain, with the phishing emails written in both of the respective languages. However, for such a campaign, the malware’s code includes no particular checks to ensure it only runs in France and Spain. What sets this campaign apart is that, at various stages of the infection chain, checks are made to ensure that only Italian users are infected. This prompted us to investigate further and discover that the attackers were delivering a new RAT as the final payload that we dubbed SambaSpy.
Infection chain
When we started our investigation, we discovered two (slightly) different infection chains, as can be seen in the two figures below.
SambaSpy infection chain 1
SambaSpy infection chain 2
Let’s discuss the second case in more detail as that infection chain is more elaborate. First, the victim receives an email from a German email address. The email was, however, written in Italian and looked like it came from a legitimate Italian real estate company.
The email urges the receiver to view an invoice by clicking on an embedded link. Then the user is redirected to a malicious websi ..
Support the originator by clicking the read the rest link below.
