{"id":23276,"date":"2024-09-18T14:17:09","date_gmt":"2024-09-18T10:17:09","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23276"},"modified":"2024-09-18T14:17:09","modified_gmt":"2024-09-18T10:17:09","slug":"new-exotic-rat-sambaspy","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/new-exotic-rat-sambaspy\/23276\/","title":{"rendered":"SambaSpy: a new remote access Trojan"},"content":{"rendered":"<p>Today, let\u2019s talk about rats. Not the long-tailed rodents, but the digital kind \u2013 Remote Access Trojans, or <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/remote-access-trojan-rat\/\" target=\"_blank\" rel=\"noopener\">RATs<\/a>. These are Trojans that attackers use to gain remote access to a device. Typically, these RATs can install and uninstall programs, control the clipboard and log keystrokes.<\/p>\n<p>In May 2024, a new breed of RAT, SambaSpy, wandered into our rat trap. To learn how this malware infects its victims\u2019 devices and what it does once it\u2019s inside, read on.<\/p>\n<h2>What SambaSpy is<\/h2>\n<p>SambaSpy is a feature-rich RAT Trojan <a href=\"https:\/\/en.wikipedia.org\/wiki\/Obfuscation_(software)\" target=\"_blank\" rel=\"nofollow noopener\">obfuscated<\/a> using <a href=\"https:\/\/www.zelix.com\/\" target=\"_blank\" rel=\"nofollow noopener\">Zelix KlassMaster<\/a>, making it much more difficult to detect and analyze. However, our team was up to the challenge and discovered that this new RAT is capable of:<\/p>\n<ul>\n<li>Managing the file system and processes<\/li>\n<li>Downloading and uploading files<\/li>\n<li>Controlling the webcam<\/li>\n<li>Taking screenshots<\/li>\n<li>Stealing passwords<\/li>\n<li>Loading additional plug-ins<\/li>\n<li>Remotely controlling the desktop<\/li>\n<li>Logging keystrokes<\/li>\n<li>Managing the clipboard<\/li>\n<\/ul>\n<p>Impressed? It seems SambaSpy can do it all \u2013 the perfect tool for a 21st century James Bond villain. But even this extensive list isn\u2019t exhaustive: read more about this RAT\u2019s capabilities in the full version of our study.<\/p>\n<p>The malicious campaign we uncovered was exclusively targeting victims in Italy. You may be surprised, but this is actually good news (for everyone except Italians). Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country. So why is that a good thing? It\u2019s likely that the attackers are testing the waters with Italian users before expanding their operation to other countries \u2013 and we\u2019re already one step ahead, since we\u2019re familiar with SambaSpy and how to counter it. All that our users worldwide need to do is make sure they have a <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">reliable security solution<\/a>, and read on knowing that we\u2019ve got this.<\/p>\n<h2>How attackers spread SambaSpy<\/h2>\n<p>In short, just like many other RATs, via email. The attackers used two primary infection chains, both involving phishing emails disguised as communications from a real estate agency. The key element in the email is a CTA to check an invoice by clicking a <a href=\"https:\/\/securelist.com\/sambaspy-rat-targets-italian-users\/113851\/\" target=\"_blank\" rel=\"noopener\">hyperlink<\/a>.<\/p>\n<div id=\"attachment_52184\" style=\"width: 854px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/09\/18141035\/new-exotic-rat-sambaspy-01.png\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-52184\" class=\"size-full wp-image-52184\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2024\/09\/18141035\/new-exotic-rat-sambaspy-01.png\" alt=\"At first glance, the email appears legitimate \u2013 except that it's sent from a German email address, but written in Italian\" width=\"844\" height=\"440\"><\/a><p id=\"caption-attachment-52184\" class=\"wp-caption-text\">At first glance, the email appears legitimate \u2013 except that it\u2019s sent from a German email address, but written in Italian<\/p><\/div>\n<p>Clicking the link redirects users to a malicious website that checks the system language and the browser used. If the potential victim\u2019s OS is set to Italian and they open the link in Edge, Firefox or Chrome, they receive a malicious PDF file that infects their device with either a dropper or a downloader. The difference between the two is minimal: the dropper installs the Trojan immediately, while the downloader first downloads the necessary components from the attackers\u2019 servers.<\/p>\n<p>Before starting, both the loader and the dropper check that the system isn\u2019t running in a virtual machine and, most importantly, that the OS language is set to Italian. If both conditions are met, the device is infected.<\/p>\n<p>Users who don\u2019t meet these criteria are redirected to the website of <a href=\"https:\/\/www.fattureincloud.it\/\" target=\"_blank\" rel=\"nofollow noopener\">FattureInCloud<\/a>, an Italian cloud-based solution for storing and managing digital invoices. This clever disguise allows the attackers to target only a specific audience \u2013 everyone else is redirected to a legitimate website.<\/p>\n<h2>Who\u2019s behind SambaSpy?<\/h2>\n<p>We\u2019ve yet to determine which group is behind this sophisticated distribution of SambaSpy. However, circumstantial evidence has shown us that the attackers speak Brazilian Portuguese. We also know that they\u2019re already expanding their operations to Spain and Brazil \u2013 as evidenced by malicious domains used by the same group in other detected campaigns. By the way, these campaigns no longer include the language check.<\/p>\n<h2>How to protect yourself from SambaSpy<\/h2>\n<p>The key takeaway from this story is the method of infection, which suggests that anyone, anywhere, speaking any language could be the target of the next campaign. For the attackers, it doesn\u2019t really matter who they hit, nor are the particulars of the phishing bait important. Today, it might be an invoice from a real estate agency; tomorrow, a tax notification; and the day after that, airline tickets or travel vouchers.<\/p>\n<p>Here are a few tips and recommendations to help you stay safe from SambaSpy:<\/p>\n<ul>\n<li>Install <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">Kaspersky Premium<\/a>\u00a0before your device shows any <a href=\"https:\/\/www.kaspersky.com\/blog\/symptoms-of-infection\/45966\/\" target=\"_blank\" rel=\"noopener nofollow\">signs of infection<\/a>. Our solution reliably detects and neutralizes both SambaSpy and other malware.<\/li>\n<li>Always be wary of phishing emails. Before you click on a link in your inbox, take a moment to ask yourself: \u201cCould this be a scam?\u201d<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"premium-generic\">\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve discovered a new Trojan that\u2019s very selective about its victims.<\/p>\n","protected":false},"author":2706,"featured_media":23278,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1225,1226],"tags":[19,2785,76,714,682],"class_list":{"0":"post-23276","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-technology","9":"tag-email","10":"tag-newsletters","11":"tag-phishing","12":"tag-rat","13":"tag-spyware"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/new-exotic-rat-sambaspy\/23276\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/new-exotic-rat-sambaspy\/28007\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/new-exotic-rat-sambaspy\/12065\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/new-exotic-rat-sambaspy\/28164\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/new-exotic-rat-sambaspy\/27716\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/new-exotic-rat-sambaspy\/30440\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/new-exotic-rat-sambaspy\/29201\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/new-exotic-rat-sambaspy\/38246\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/new-exotic-rat-sambaspy\/12828\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/new-exotic-rat-sambaspy\/52179\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/new-exotic-rat-sambaspy\/22235\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/new-exotic-rat-sambaspy\/23002\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/new-exotic-rat-sambaspy\/31640\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/new-exotic-rat-sambaspy\/28285\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/new-exotic-rat-sambaspy\/34095\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/new-exotic-rat-sambaspy\/33751\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/rat\/","name":"RAT"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=23276"}],"version-history":[{"count":2,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23276\/revisions"}],"predecessor-version":[{"id":23279,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23276\/revisions\/23279"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23278"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=23276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=23276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=23276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}