Her researchers ESET, according to recent analyzes of banking Trojans affecting Latin America, proceeded to its anatomy Guildma.
Σin particular, proceeded to the anatomy of the most powerful and advanced banking Trojan that they had ever encountered from this group in that area: the Guildma. This malware specifically targets banking institutions, trying to steal credentials for email accounts, e-shops and streaming services in Brazil.
It has infected at least 10 times more victims than other Latin American banking Trojans analyzed by ESET. During the boom period - a huge campaign in 2019 - ESET had recorded up to 50.000 attacks a day. Guildma spreads exclusively through unsolicited emails with malicious attachments.
In one of its latest releases, Guildma used a new way of distributing command and control servers, abusing profiles on YouTube and Facebook. However, its operators stopped using Facebook almost immediately and, at least at this stage, rely entirely on YouTube.
«Guildma uses very innovative execution methods and sophisticated attack techniques. The actual attack is orchestrated by the C&C server. In this way, its operators can react more flexibly to the countermeasures applied by banks when attackedExplains Robert Šuman, ESET researcher who leads the Guildma analysis team.
Guildma has multiple backdoor functions, such as taking screenshots, recording keystrokes, simulating mouse and keyboard functions, blocking shortcuts (such as disabling Alt + F4 to make it harder for fake windows to disappear) , and / or reboot.
In addition, Guildma has a highly modular architecture, currently consisting of at least 10 modules. The malware uses tools that are already on the machine and reuses its own methods. «New techniques are added from time to time, but for the most part, developers just seem to be reusing techniques from older versions.", Says Šuman.
In one of its first editions Guildma in 2019, the possibility of targeting institutions (mainly banks) outside Brazil was added. However, in the last 14 months, ESET has not detected any international campaigns outside the country. In fact, the attackers went so far as to block downloads from IP addresses outside Brazil.
Guildma's campaigns escalated slowly until the massive campaign in August 2019, when the ESET Research Team recorded up to 50.000 samples per day. This campaign continued for almost two months, reaching more than double the amount detected 10 months ago.
[the_ad_group id = ”966 ″]