Guildma- A Latin American Banking Trojan-A Threat to Banks

Guildma- A Latin American Banking Trojan-A Threat to Banks

Guildma, a named assigned by Avast and also known as Astaroth as name assigned by Cybereason, a famous Latin America Banking Trojans (derived from a Greek word Trojan horse; Troy) has been observed in Brazil attacking banking sector. It was first seen in 18 September 2018 with version of 131. Recent version number is 152 as on 5^th March, 2020. In recent research conducted by ESET researchers to have a deep insight to analysis the impact of this advance banking trojans. This malware specially has been designed for attacking banking sectors. The purpose is to intercept the banking traffic network to steal highly secret credentials likes email accounts, e shops and streaming services in Brazil. The real affect is 10 times higher as compare to the other Latin American Banking Troajan, according to the report of the ESET. In 2019 when it is fully active through a massive campaign, 50,000 numbers of attacks were recorded per day.

How Does Guildma or Astaroth work?

As it is malware-a type of virus, so it is being deployed massively through email spam having malicious attachments.

Spam Email Example-Fake Invoice Reminder

Source: WeliveSecurity

The Guildma or Astaroth relys on very innovative procedures of execution and use sophisticated attacking techniques. Basically command and controls servers are being attacked through plan. Guildma-malware intrusion can be happen through

• Taking Screenshots
• Capturing Keystrokes
• Emulating Keyboard and Mouse
• Jamming or blocking Shortcut like Alt+F4 to make it difficult to end up the fake opened windows
• At the time of Downloading and executing files
• Rebooting the Devices or machines

Guildma is highly modular in nature. 10 Modules have been embedded in it when it was structured and written, exclusive of distributing chain stages. In the words of Suman:

“New Techniques are added every once in a while, but for the most part, the developers seem to simply reuse techniques from older versions.”

Distribution Chain of Guildma in the latest verstion analyzed by ESET (150)

Source: ESET

The above image depicts the structure of distribution chain for version 150 which is very dynamic in nature.

A unique feature of the Guidlma’s distribution chain is using the tools already available on the system but in a new and unusual ways.

Latest version capable Guildma or Astaroth deploys new more impactful and advanced distributing commands and controls servers targeting Facebook and YouTtube Profiles or Accounts. Early version of 2019, Guildma had become capable to attack the institutions mainly banks outside the Brazil. But unfortunately, no planned campaigned has been observed outside the Brazil, over the last 14 months, Quoted by ESET. The attackers or hackers made attempt as soon as to block any download from non-Brazilian IP addresses.

The below figure reveal that the pace of the Guildma was very slow until the August 2019, where the pace of the campaign was at its peak, when 50,000 attacks being were observed on daily basis. This massive campaign was aired for almost two months and detected cases have been reported twice as compared to ten months prior.

First Stage Guildma Detection Since July 2019

Source: ESET

Innovative and Interesting Techniques Used By Guildma-a Trojan virus-over the Last 14 Months

Below some innovative and interesting techniques are being used by Guildma-a Trojan virus-over the last 14 months are:

• Execution of the Jscript Stage
• Execution of Binary Modules
• Downloading the Binary Modules-A download Trojan Virus

Please note that the statistics given here are related to Version 150 with the name XXX. Its version prefix is andrealfo.

Note: Interest to read about Kr00k Vulnerability, Click here