SambaSpy RAT Targets Italian Users in a Highly Tailored Malware Campaign

In May 2024, Kaspersky Labs uncovered a sophisticated malware campaign that uniquely targeted users in Italy, deploying a new Remote Access Trojan (RAT) called SambaSpy. What makes this campaign stand out is the meticulous focus on Italian-speaking users, as outlined in Kaspersky's latest report. In an unusual move for cybercriminals, the attackers ensured that their malware infected only Italian users by incorporating multiple checks throughout the infection chain to verify that the system language was set to Italian.

Targeted Attack: Precision Focus on Italian Users

While most malware campaigns cast a wide geographic net, this operation was highly localized, aiming exclusively at Italian-speaking victims. At each stage of the infection chain, the malware checked whether the target system met specific criteria—such as having its language set to Italian. If the system did not meet these criteria, the malware would immediately halt, ensuring that only Italian-speaking users were affected. This level of customization demonstrates a level of precision not typically seen in widespread cyberattacks.

Delivery of SambaSpy: Email Phishing with an Italian Real Estate Disguise

The SambaSpy RAT was delivered via phishing emails, masquerading as communications from a legitimate Italian real estate company. Written in perfect Italian, these emails contained links to what appeared to be invoices hosted on a genuine document-sharing platform widely used by Italian businesses. However, the attackers embedded a malicious link in these emails, which led to a JAR file that initiated the SambaSpy infection.

SambaSpy's Capabilities: Full Control Over Infected Devices

Once installed, SambaSpy gives attackers nearly complete control over the infected device. Written in Java and obfuscated using the Zelix KlassMaster protector, SambaSpy is equipped with a vast array of capabilities, allowing attackers to:

• Manage files and processes
• Upload and download files
• Control the webcam
• Log keystrokes and clipboard activity
• Take screenshots
• Steal credentials from popular browsers such as Chrome, Edge, and Brave
• Execute remote desktop operations
• Initiate a remote shell

Additionally, SambaSpy has the capability to load plugins at runtime, allowing attackers to expand its functionality depending on the victim's environment. This modular nature makes it a versatile tool that can be customized for different targets.

Advanced Targeting Techniques: Infection Chain with Language Checks

Kaspersky identified two distinct infection chains in this campaign, both of which began with a phishing email. In the more complex chain, the attackers used a German email address but crafted the message in Italian, urging the victim to view an invoice. Clicking the link redirected the user to FattureInCloud, a legitimate Italian cloud invoicing platform. However, behind the scenes, the victim was also redirected to a malicious OneDrive link, which led to the SambaSpy dropper—but only if the user’s system language was set to Italian.

If the target system didn’t meet specific criteria, such as running Edge, Chrome, or Firefox with Italian as the language setting, the victim would simply remain on the legitimate site, evading infection. This precision targeting, based on language and browser settings, reflects a highly sophisticated approach by the attackers.

Expert Opinions: Targeted Campaigns Reflect Increasing Sophistication

Cybersecurity experts are noting the increased sophistication in geotargeted malware campaigns like SambaSpy. According to Martin Zugec, Senior Director of Security Strategy at Bitdefender, “The precision with which this campaign was executed highlights a growing trend among cybercriminals to focus on specific, localized targets. By narrowing their scope, attackers can evade detection by security systems that typically look for broader threats.”

Additionally, FireEye’s research indicates that geographically targeted attacks often bypass traditional security solutions, as they tailor their infection methods to specific regions, languages, and even industries. These types of attacks pose an increasing threat to national and regional infrastructures.

Traces to Brazil: Broader Ambitions?

Although the campaign exclusively targeted Italian users, Kaspersky found traces that suggest the attackers may have broader ambitions. Brazilian Portuguese language artifacts, including code comments and error messages, were discovered within the malware, hinting at potential Brazilian origins. Additionally, the infrastructure used in the campaign included links to other regions, such as Spain and Brazil. This cross-regional activity raises questions about whether the attackers plan to expand beyond Italy in future campaigns.

Recommendations for Defense

Given the specificity of this campaign and its advanced techniques, cybersecurity experts recommend the following defenses:

1. Phishing Awareness Training: Train users, particularly those in high-risk regions, to recognize sophisticated phishing tactics, especially emails appearing to come from legitimate local businesses.
2. Language-Based Security Checks: Organizations should monitor for suspicious activity that involves language-specific checks or criteria to catch more targeted threats.
3. Endpoint Protection: Implement strong endpoint protection solutions that can detect Java-based malware and prevent unauthorized remote access.
4. Network Monitoring: Keep an eye on unusual traffic, particularly to cloud services like OneDrive, which may be used as part of the malware delivery process.
5. Regular Software Patching: Ensure that systems are kept up-to-date to minimize vulnerabilities that SambaSpy or similar malware can exploit.

The SambaSpy malware campaign is an exceptional example of how cybercriminals are tailoring their attacks to specific regions and user bases. By focusing exclusively on Italian-speaking users and utilizing sophisticated language and browser checks, the attackers behind SambaSpy have demonstrated a high level of skill and customization. While the campaign currently targets Italy, traces of Brazilian Portuguese artifacts suggest the attackers could have broader plans in the future. Organizations, particularly those in targeted regions, must remain vigilant and deploy robust defenses to protect against this growing threat.