Guildma

Guildma is a malicious software (malware) that has been operational since at least 2015, initially targeting banking users exclusively from Brazil. Over time, this malware, alongside others such as Javali, Melcoz, and Grandoreiro, expanded its operations to target banks in other countries including Chile, Uruguay, Peru, Ecuador, Colombia, China, Europe, and of course, Brazil. The malware is known for its deceptive tricks, using various processes like ExtExport.exe related to Internet Explorer, and in more recent campaigns, leveraging YouTube for hosting Command and Control (C2) information. Guildma's intended targets can be discerned from its code, revealing its capacity to steal data from bank customers living in these regions. The evolution of Guildma has seen it adopt more sophisticated techniques over the years. By the end of September 2019, a new version of the Guildma malware was identified, which used a novel technique for storing downloaded payloads in NTFS Alternate Data Streams, effectively concealing their presence in the system. Furthermore, the newer versions of Guildma found in 2020 employed an automated process to generate thousands of daily URLs, primarily exploiting generic Top-Level Domains (TLDs). This innovation allowed the malware to maintain its efficacy while making detection and mitigation efforts more challenging. Guildma spreads primarily through email shots containing a malicious file in compressed format, attached to the email body. Upon further examination of the delivered trojans, it was discovered that more than 300 financial organizations have already fallen victim to the Astaroth trojan, also known as Guildma. As a result, Guildma poses a significant threat to both individuals and organizations globally, necessitating robust cybersecurity measures to prevent its spread and mitigate its impact.