2024-09-19 Kaspersky: Exotic SambaSpy is now dancing with Italian users

SambaSpy  is a highly obfuscated Java-based RAT, protected by the Zelix KlassMaster protector. It supports a range of malicious activities, including:

• File system and process management
• Keystroke logging using the JNativeHook library, sending keystrokes to the C2 upon key release
• Clipboard content control through Java Abstract Window native libraries
• Webcam access and remote desktop control using the Java Robot and GraphicsDevice classes
• Browser credential theft, targeting Chrome, Edge, Brave, Opera, and others
• Remote shell access and the ability to load additional plugins dynamically via URLClassLoader, using addURL() to invoke downloaded plugins.

SambaSpy exhibits heavy obfuscation to evade detection, with encrypted strings and obfuscated class names and methods. The malware performs detailed environment checks to avoid execution in virtualized or sandbox environments, exiting immediately if the language is not set to Italian. It also encrypts its communications with the C2, complicating analysis.

Some malicious websites contain comments in Brazilian Portuguese, hinting at a possible connection to Brazil. The attackers repeatedly use second-level domains with new subdomains, allowing them to maintain control while shifting operations to evade detection.

 
Download. Email me if you need the password scheme.