Danger actors usually make use of weaponized PDF files as they enable them to deliver malware and conduct attacks through phishing techniques. This news can contain embedded malicious code, links, and scripts that exploit vulnerabilities in PDF readers, making them a preferred method for avoiding traditional safety standards. Kaspersky Lab investigators just found that SambaSpy has been actively shooting Windows users with weaponized PDF files.

SambaSpy Targeting Windows Users

In May 2024, cybersecurity investigators discovered a highly targeted malware movement concentrating mainly on Italian users. This movement used a refined infection chain, and this chain begins with phishing emails purportedly from a legitimate “Italian real estate business.”

These emails included connections turning targets through numerous locations like legitimate sites (“FattureInCloud”) and negative servers using “ngrok.” Danger actors executed strict inspections at various points to ensure only Italian-language users on specific browsers (Edge, Firefox, and Chrome) were contaminated.

 

The absolute payload is a Java-based RAT anointed “SambaSpy,” and it was provided through a JAR file hosted on MediaFire. 

SambaSpy is confused about operating Zelix KlassMaster, and it delivers an ample range of negative qualifications that we have mentioned below:- 

• File system manipulation
• Procedure management
• Keylogging (using JNativeHook)
• Clipboard control
• Webcam access
• Screen capture
• Remote desktop functionality
• Browser credential stealing (targeting Chrome, Edge, Opera, Brave, Iridium, and Vivaldi)
• Ability to load additional plugins at runtime

Besides this, the RAT also executed anti-VM methods to evade detection, and for active plugin loading, it used Java’s URLClassLoader. This campaign’s focus and specialized culture emphasize an evolving direction in targeted cyberattacks. The hostile actor took a complex approach by using numerous stages of the disease, including speech checks to catch Italian scope and parameters. They also made use of a legitimate invoice that acted as a vector to spread malware. 

The movement made use of a business downloader with code comments and error notifications in Brazilian Portuguese. Here the danger actors often changed their techniques like obfuscation methods, phishing email content, and command-and-control (C2) endpoints. 

Besides this, the detractors consistently reused second-level domains by delivering insight into their infrastructure. This way of infrastructure reuse, connected with vocabulary artifacts and targeting methods, offers valuable indicators for attribution and improves malware detection abilities, Kaspersky stated.

The movement shows a movement of Latin American assailants targeting European nations with linguistically similar backgrounds. Multiple language verification steps were executed throughout the disease chain, which shows an attentive approach to victim preference. The rapidly developing nature of assailants and their tactics makes challenges for cybersecurity investigators in following and mitigating such developing perils.