Source: Cyware | By Ryan Stewart
• The malware is targeting around 130 banks and web services that include Netflix, Facebook, Amazon, and Gmail.
• Guildma is spread through targeted phishing and leverages compromised websites for phishing.
Attackers who are distributing Guildma malware have shifted their focus on entities outside Brazil. The banking trojan, better known as Astaroth, is reportedly targeting 130 banks along with popular web services such as Netflix, Amazon, Facebook, and Gmail. The discovery was made by security firm Avast.
Guildma is said to have originated in Brazil and is known for primarily targeting Brazilian companies.
• Guildma is spread through targeted phishing. Attackers leverage compromised websites that have malicious PHP code, for phishing.
• The spam emails delivering this trojan contain an LNK file attachment. Opening this attachment downloads an XML file, which drops all the malware modules through the BITSAdmin tool.
• After infecting the machine, it waits for the user to visit the bank’s website that is listed in its operation. Following this, it would perform actions such as stealing credentials, capturing screenshots, and other actions. It can also take over the infected machine.
• The malware version spotted by Avast researchers was version 140. The researchers suggest that malware undergoes rapid development and incorporates changes regularly.
In an analysis report, Avast researchers capture the developments of Guildma, which was created in 2015. They indicate that the creators of the malware have brought forth numerous implementation for sophistication.
“The malware authors have used large amounts of domains, various infection and stealing techniques, and programming languages (Delphi, JS, VBS,..) during Guildma’s long existence,” wrote the researchers. However, the actors used similar code most of the times which helped the researchers spot the malware campaign.