2024-09-18 SAMBASPY Java RAT Samples
2024-09-19 Kaspersky: Exotic SambaSpy is now dancing with Italian users
SambaSpy is a highly obfuscated Java-based RAT, protected by the Zelix KlassMaster protector. It supports a range of malicious activities, including:
- File system and process management
- Keystroke logging using the JNativeHook library, sending keystrokes to the C2 upon key release
- Clipboard content control through Java Abstract Window native libraries
- Webcam access and remote desktop control using the Java Robot and GraphicsDevice classes
- Browser credential theft, targeting Chrome, Edge, Brave, Opera, and others
- Remote shell access and the ability to load additional plugins dynamically via URLClassLoader, using
addURL()
to invoke downloaded plugins.
SambaSpy exhibits heavy obfuscation to evade detection, with encrypted strings and obfuscated class names and methods. The malware performs detailed environment checks to avoid execution in virtualized or sandbox environments, exiting immediately if the language is not set to Italian. It also encrypts its communications with the C2, complicating analysis.
Some malicious websites contain comments in Brazilian Portuguese, hinting at a possible connection to Brazil. The attackers repeatedly use second-level domains with new subdomains, allowing them to maintain control while shifting operations to evade detection.
File Information
- ├── 43f86b6d3300050f8cc0fa83948fbc92fc69af546f1f215313bad2e2a040c0fa DOCUMENTO pdf
- ├── 49bbfac69ca7633414172ec07e996d0dabd3f7811f134eecafe89acb8d55b93a jar Dropper
- ├── 9948b75391069f635189c5c5e24c7fafd88490901b204bcd4075f72ece5ec265 jpg jar Sambaspy
- ├── SAMBASPY - additional samples
- │ ├── 23fcf754156e84559d5640c0fc5f24d536332c3be516202086223528e2b45956 fMBFwZaxLTVpj
- │ ├── 6e059b017198c588cc5a39e608ca0034438dab953772ed7cd196a1aab1415b63 file jar
- │ ├── 8025e6b88d96cf77672bb0eed783808778b52074d686fe1f51076ffadae44749 jar
- │ ├── 8a4fce944f129b1f7bd36ba0076af5a37cd54c45644b155073cbd8a27b6430e8 FACTURE jar
- │ ├── 8e0c5271cc354d6a9f81f1d09472d8b88209b7afca85358e2c7e034ce0bbec37 daisynuke jar
- │ ├── 9530d49197932cc7f169dae3f953e00dc9cf3625eb74e0e335701d3e3fd8c8d4 Prodotto png
- │ ├── 9d7fc389f5c0793a5282da241999069c6e8b09a30efcaace36e76416556c3bbb jar
- │ ├── b1a61e5a54a61e8dc5feac75023120c29541c1597d82ea689d6246163cd98d75 ElxoxoYytt11893183509316623887 tmp
- │ ├── bc7d491a4a88b7c214c679433647c92bc5001741672bcfb96574d9b977d8121c Factuur - 2024108393 pdf jar
- │ ├── c0e73cc26a16a477e6de5e26ea1a61d3504fae6f77a278ae96f621a34405bdc9 aq jar
- │ ├── cc7632a505300c65c46bc3a0badaaa6b6a99abe148038ecf380ea04eaa6bc14c client jar
- │ ├── dbaca1975b39161944950812b54c27ed62251a469f8dce82a743d246a6706968 FACTURE jar
- │ ├── e16f1a38e8ebe14b2243ab62dfcc0596c227987cc6d83b55ef58a046a9fbb2d2 celka jar
- │ ├── e3578b593437dd7edf5d8a575ad1b05131a067b78e07e1a4677dd5747bdcd056 Imagem jpg jar
- │ ├── e8cee7472d4d0816da9398e7b49fe742865dd7b629131d120ef3181e3f0849f2 newRat jar
- │ └── f820670f83310b4d6bb4683ebe140e06449fa40f385dda138c27fa6c47080878 jar
- └── d3effd483815a7de1e1288ab6f4fb673b44a129386ef461466472e22140d47f8 zip Downloader
- Over the past 15 years, as the blog has been around, many hosting providers have dropped support due to stricter no-malware policies. This has led to broken links, especially in older posts. If you find a broken link on contagiodump.blogspot.com (or contagiominidump.blogspot.com), just note the file name from the URL and search for it in the Contagio Malware Storage.