In mid-May we detected a new Guildma campaign that affected banks in Spain, as well as different countries in Latin America and Portugal. Recently, we have continued to receive samples with small changes in the code.
Previously, this Trojan had mainly affected Portuguese-speaking users in Brazil. In addition, it has many references in the code to words in Portuguese and is developed in Delphi, which could indicate that its origin is in Brazil.
Guildma is a banking Trojan that has multiple functionalities. From Spyware that collects user events; Banker, with multiple targets specified; through RAT, with open sockets for the attacker to send orders.
All these functions make it a versatile Trojan that is dangerous for the end user.
1. How does it work?
Guildma has different phases to avoid being detected by Antivirus, Sandbox and malware researchers.
The first stage of infection is an obfuscated Visual Basic Script (.vbs) file. Criminals usually use this type of scripts because they are easily mutable and versatile. Once deobfuscated, we can see that the first thing that this script checks is whether it is in a virtual machine. To do this, it simply looks at the name, model and version of the BIOS that the machine has and compares them with a list of common properties of the most popular virtualization systems.
Subsequently, several files are downloaded, including an encrypted binary and the DLL that acts as loader.
The Loader or final malware loader is executed by the .vbs file with the following command:
The "entry point" established is a piece of code that does not do anything relevant, so it runs a different one that is the "loader" itself. This is a simple protection to avoid automatic sandbox detections where you can not specify which "export" to execute from the DLL. This DLL is responsible for loading the encrypted content of the file“Yxwhrpmocf1.fco”, which is really the malware in question.
Guildma is a banking Trojan with the following main features:
- Spyware: It can capture mouse movements, collect the keystrokes (Keylogger), etc.
- Launcher: Launches external Nirsoft executables to perform Stealer tasks and thus avoid implementing those functions. Normally, it stores them as binary resources.
- Banker: It affects a multitude of banking entities in different countries.
- RAT: It opens different sockets in the machine that receive orders from the attacker.
The malware has several approaches when it comes to robbing bank victims; this is done to execute specific tasks in some of the entities.
- General: When it detects a banking entity from the target list via a URL, and also finds a key, token or SMS code, depending on the bank, it registers the information that the user writes.
- Specific: In some specific cases, it presents forms to deceive the user and avoid the double-factor authentication used by various banking entities.
In addition, it contains generic theft modules for browser and email credentials using external tools from the NirSoft manufacturer:
- Mail passview
- Chrome pass
- Password fox
- IE pass view
The communication and part of the functionality are effected by opening several sockets that allow the criminal to interact with the victim manually or automatically.
Among other things, the main socket allows it to:
- Authenticate itself with the C&C.
- Activate another socket that is in charge of communicating keyboard events.
- Run a pseudo script to perform keyboard events in imitation of the client. For example, automatically filling out bank forms.
- Run a pseudo script to control the victim's mouse.
- Another socket is responsible for capturing images of the victim's screen and sending them to the C&C.
The Trojan’s design means it can be easily handled by a criminal and makes it possible to carry out the fraud in very specific ways adapted for each entity.
2. New campaign in Spain
In the campaign in Spain, it has been detected that emails with Visual Basic Script attachments (.vbs) have been distributed. Mainly, they pass themselves off as PDF files that simulate invoices.
There are many banks affected, among which are some entities that are not normally directly affected by another type of banking malware more common in Spain.
The Trojan’s design allows it to adapt it to other external entities quickly, as in this case. Thus, it does not need constant development and specialization for each type of entity.
This type of banking malware with a high presence in Brazil has been adapting, and although these malwares mainly tend to have significant distribution in their country of origin or in Latin American regions, it has been discovered that they are attempting to adapt to the greater number of entities from other countries.
In addition, this is a malware with a very diverse functionality that allows criminals to attack their victims in a more sophisticated way, avoiding detection by the banks' anti-fraud solutions as far as possible, eluding double authentication and environmental patterns, among other protections.
As different entities implement more advanced security solutions, greater professionalization in this type of malware is anticipated. They will simulate user behaviour to a great extent and thus be able to commit fraud without raising suspicion.