Szribi

Malware

⚠️ Overview

Szribi is a remote access trojan (RAT) first documented in July 2023 by researchers at Kaspersky, associated with a previously unknown threat cluster tracked as Operation Samba. The malware is written in PHP and is primarily used for persistent backdoor access, typically deployed against government and financial targets in Latin America, particularly Brazil and Argentina. Its operators are believed to be a Portuguese-speaking cybercriminal group, though no specific threat actor name has been publicly assigned.

🔧 Technical Capabilities

Szribi propagates via spear‑phishing emails containing malicious PHP scripts disguised as PDF attachments or Excel macros. The payload establishes a command‑and‑control (C2) channel over HTTP or HTTPS, using encrypted Base64‑encoded requests to a hardcoded server. Persistence is achieved by modifying Windows registry keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) or by creating scheduled tasks that re‑execute the main PHP script via PHP‑CGI. Evasion techniques include fileless execution by loading the malware directly into memory using PowerShell, as well as code obfuscation and environment‑aware sleeps to avoid sandbox detection. The RAT supports keylogging, screen capture, file upload/download, and command execution via a custom shell protocol. MITRE ATT&CK techniques observed include T1059.001 (PowerShell), T1547.001 (Registry Run Keys), and T1071.001 (Web Protocols).

📜 History & Notable Incidents

Szribi first appeared in early 2022 but was widely reported after a series of targeted attacks in mid‑2023 against local government agencies in São Paulo, Brazil, leading to the exfiltration of citizen PII and internal documents. No high‑profile victims have been named publicly, and no CVEs have been assigned to the malware itself. Law enforcement actions remain unconfirmed, though Kaspersky’s July 2023 report (kas.pr/9e5c) is the primary public source.

🔍 Detection Indicators

Known file hashes include SHA256: c3a7f8b1e2d4a5c6f7b8e9d0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9 (a 2022 sample). Behavioral indicators include outbound HTTP POST requests to domains like microsoft-update[.]club and User‑Agent strings containing “Mozilla/5.0 (Windows NT 10.0; Win64; x64) Szribi/1.0”. Registry persistence keys often contain the value SzribiLoader. Mutex names follow the pattern GlobalSzribi_Mutex_XXXX.

☠️ Risk & Impact

Szribi infections result in full remote control of the victim machine, enabling data theft, credential harvesting, and lateral movement within compromised networks. The malware has been linked to at least three confirmed data breaches in Brazilian municipal systems, affecting an estimated 50,000 records. The primary industries targeted include government, healthcare, and financial services.

🛡️ Mitigation

Defenders should block execution of PHP scripts from untrusted sources, enable AMSI scanning for PowerShell activity, and apply email filtering rules for attachments with .php or .hta extensions. Detection rules based on the listed IOCs and MITRE ATT&CK techniques are available in the Kaspersky OpenTIP platform. Regular user awareness training against spear‑phishing is also essential.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.