Guildma

Guildma is a banking Trojan with additional features associated with spyware and RATs. Guildma typically arrives through e-mail spam-based infection vectors and collects bank account information by monitoring the user's Web-browsing activities and modifying the behavior of the browser. Users always should disable Internet connections and remove Guildma with a dependable brand of anti-malware service as soon as possible.

Brazilian Thieves Expand Their Horizons

Brazil's banking Trojan scene is one that's highly-unique to itself, exploiting the nation's heavily-customized financial services for collecting money and customer data. However, not every Trojan that starts in Brazil stays there. For an example that's new to 2019, users might look at Guildma. This Windows-based threat, also identified by the demonic alias of the Astaroth Trojan, is a modular and heavily-developed program. It receives significant version alteration and daily changes to its Web infrastructure – making it clear that even criminals can display work ethics.

Guildma began in Brazil but is establishing itself in places as far away as Asia and North America, too. The Trojan uses e-mail spam for distributing itself with a pair of customized modules dedicated to that purpose and templates that it can modify with target-specific information (such as names or bank industry references). Users opening the LNK attachments with these e-mails become Guildma's next victims. However, malware experts confirm a notable exception to this general rule, which consists of virtual and analysis environments, where Guildma aborts the loading routine.

Guildma's attacks use a series of timers, many of them with self-looping behavior, along with listening for commands from its servers and monitoring Web-browsing activity. It includes all of the 'ordinary' features for such a threat, such as establishing a backdoor, taking screenshots, downloading and launching files, and keylogging. More interestingly, it also can close browsing windows for forcing them to be reopened, collecting the information afterward.

Malware researchers also highlight Guildma's superior capabilities over the keyboard. It can disable certain shortcut combinations automatically, including ones that could close an unresponsive window or switch the window focus.

Breaking Up a Robbers' Guild

One of the most incredible parts of Guildma is a historical aspect of its deployment that shows how far its threat actors are willing to go to gain system access. Although Guildma uses all of the standard process-hollowing and injection techniques of similar banking Trojans, it also emphasizes 'living off the land' strategies. The banking Trojan takes this philosophy to the extreme of even compromising Avast libraries, although the company has since updated its software for blocking this abuse.

Guildma includes an expansive assortment of protections against being identifiable by automated solutions or users' eyes. Many versions of the Trojan use digital certificates for an appearance of authenticity, and the threat actors arrange the UI elements so that they exist outside of the user's visible screen space. Guildma also has XOR encryption for many components, although this aspect is non-updated since 2015, compared to its other, often-daily, alterations.

Despite these advantages, users still should have their anti-malware products ready for finding or deleting Guildma. Contacting one's bank afterward for advice on securing hijacked accounts is equally necessary.

Guildma is braver and more well-maintained than many other banking Trojans' 'businesses,' but its goals are no less disgraceful. Rather than exorcising this demon of a program after suffering from its attentions, users should be careful about clicking any attachments with the scent of danger on them.