Guildma

Guildma – a dangerous banking Trojan that targets Latin American users

Guildma is a modular malware capable of taking screenshots, capturing credentials, and stealing information in many other ways

Guildma is a modular malware capable of taking screenshots, capturing credentials, and stealing information in many other ways

Guildma is a sophisticated data-stealing malware that was recently discovered and analyzed by most prominent security research teams. The virus targets more than 130 Latin American banking systems and 75 local web services, with its primary goal being to steal banking, email, entertainment service, and other credentials. Threat actors behind Guildma launched multiple large campaigns that were infecting as many as 50 thousand people a day via contaminated spam email attachments.^[1] Its first emergence traces date back to 2015, although its peak was (so far) in summer/autumn of 2019. Currently, the Guildma virus is still spiking in popularity, and is currently the most prominent banking malware in Latin America, infecting ten times more victims than the second most common banking malware in the area.

Malware infection might not be so apparent, as, just like many other Trojans, it barely emits any symptoms and performs its operations in the background, which might prevent Guildma removal for weeks or even months. In the meantime, users might be running their computers as normal, providing the most sensitive information directly to cybercriminals.

Nevertheless, most of the legitimate anti-malware solutions would be able to stop all variants of Guildma, as its main executable is recognized as follows:^[2]

• Trojan.AgentWDCR.XDE (B)
• TR/Spy.Guildma.mzypz
• Trojan.Win32.DelfiDelfi.4!c
• Trojan.TR/Spy.Guildma.mzypz
• Trojan:Win32/Guildma.V!MTB
• Mal/Generic-L
• W32/Guildma.BS!tr.spy, etc.

To remove Guildma, you will have to download and install one of reputable AV providers, such as Malwarebytes, and perform a full system scan. Since malware is modular and might interfere with anti-malware operation, you might need to access Safe Mode with Networking and perform the scan from there. Once Guildma is terminated, you can also take care of Windows system files and fix the damage done with tools like Reimage Reimage Cleaner Intego.

Guildma distribution and infection routine

While Guildma malware is spread via spam email attachments, its method of doing so is innovative and sophisticated. To spread malicious emails, threat actors behind the malware are using mostly hacked or fake websites, where a malicious PHP code is installed. With this, the attackers can use the gathered email addresses to launch mass spam campaigns, infecting thousands of users daily.

The phishing emails come in the native (Portuguese) language and represent tax refunds, invoices, invitations, and similar events. Each of such emails is injected with a .zip file, usually named as follows: cheque.htm.zip, curriculum_.htm.zip, dados unidas rent a car.htm.zip, nota_fiscal.484.582.85.zip, etc. Such emails look professional, and many users could get tricked and open the clipped attachment.

Inside the archive, there is an obfuscated shell link (LNK) file, which calls the wmic.exe via Command Prompt to download the XSL file. The latter contains the malicious payload that begins the infection routine on the targeted machine.

To prevent infiltration of Guildma malware, users should not open attachments carelessly, as some phishing emails can look very believable. Thus, only open attachments you know are safe and are coming from a secure source. Uploading such attachments to Virus Total or similar analysis services can also help you determine whether it is malicious.

Guildma is Trojan that targets Latin America with spam email campaigns

Guildma is Trojan that targets Latin America with spam email campaigns

Guildma is modular malware capable of stripping victims of the most sensitive information

Throughout its existence, Guildma was released in several different versions and has been tweaked and improved over time. While threat actors employed a variety of different programming languages, data-stealing methods, as well as infection techniques, most of the code patterns such as encryption algorithms, file names, and other components remained unchanged.

Before starting the infection routine, Guildma Trojan first checks whether it accessed a sandbox environment (or a virtual machine which is often used by security researchers to analyze malware samples and their operation principles), and only proceeds if it detects a regular “user” machine. It will also not infect machines that are not located in the country of interest, i.e., mostly Brazil – Guildma checks keyboard language for that.

According to researchers, Guildma also checks for running applications, which is then followed by immediate data-stealing practice:^[3]

Throughout the execution, it frequently performs checks for opened windows, mostly looking for banking applications or PuTTY. These detections trigger injections, screenshots, key hooking and “flag” file creation. All these actions are orchestrated by a vast array of interacting timers with a rather complicated hierarchy.

The main module (“Module G”) is very diverse and is responsible for such operations as C&C server communication establishment (which also incorporates YouTube and Facebook profiles to retrieve the C&C servers), loading of other modules, running application tracking, and much more.

Besides the regular banker malware capabilities, Guildma is equipped with an array of modules (at least 10), each capable of performing different tasks. These tasks are not only comprised of data-stealing but also include the following functionality:

• Screenshot capture
• Keystroke capture
• System reboot
• Keyboard and mouse emulation
• Keyboard shortcut blocking (such as Alt + F4 or Ctrl + W)
• File fetching
• Implementation of secondary payloads (backdoor function)

Guildma uses a variety of tricks to make users expose their credentials. Once the malware is active on the system, it forcefully logs users out of accounts on Google Chrome, Mozilla Firefox, Internet Explorer or MS Edge, making them re-enter credential data repeatedly. This information is later sent to the C&C server via an established network connection. Guildma will also record everything typed by the keyboard and take screenshots to steal relevant information.

Guildma also has a from grabber function, which allows the virus to capture email lists from MS Outlook, Thunderbird, and other email desktop clients. This module also includes the capability of stealing data from relevant websites.

As evident, the presence of Guildma Trojan can seriously compromise the infected machine and result in financial losses, or even identity theft. Therefore, users should ensure that they would not get tricked by realistically crafted phishing emails, although protection of anti-malware software is the most critical component that would defend victims from malware intrusions.

Eliminate Guildma from the system immediately

As previously mentioned, Guildma virus can cause significant damage to the computer owner, as it can steal such sensitive data like banking, email, and other login credentials. As a result, users might see their credit card accounts being drained without permission, or goods being purchased under their names. Online banking accounts should always be monitored for unsolicited transactions. In case you noticed that your bank account was was emptied, there is a high chance you should immediately remove Guildma from your computer.

To remove Guildma malware from the system, download and install a powerful anti-malware program, bring it up to date, and perform a full system scan. This will ensure that all the malicious components, along with other possible malware, is eliminated at once. If you are struggling when trying to perform a scan, you should access Safe Mode with Networking and employ anti-malware software from there.

Additionally, if you have been a victim of Guildma attack, you should reset all your passwords after malware termination. Also, contact your bank and explained what happened, as you should close any compromised bank accounts.