Guildma

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Guildma is a malicious software (malware) that has been operational since at least 2015, initially targeting banking users exclusively from Brazil. Over time, this malware, alongside others such as Javali, Melcoz, and Grandoreiro, expanded its operations to target banks in other countries including Chile, Uruguay, Peru, Ecuador, Colombia, China, Europe, and of course, Brazil. The malware is known for its deceptive tricks, using various processes like ExtExport.exe related to Internet Explorer, and in more recent campaigns, leveraging YouTube for hosting Command and Control (C2) information. Guildma's intended targets can be discerned from its code, revealing its capacity to steal data from bank customers living in these regions. The evolution of Guildma has seen it adopt more sophisticated techniques over the years. By the end of September 2019, a new version of the Guildma malware was identified, which used a novel technique for storing downloaded payloads in NTFS Alternate Data Streams, effectively concealing their presence in the system. Furthermore, the newer versions of Guildma found in 2020 employed an automated process to generate thousands of daily URLs, primarily exploiting generic Top-Level Domains (TLDs). This innovation allowed the malware to maintain its efficacy while making detection and mitigation efforts more challenging. Guildma spreads primarily through email shots containing a malicious file in compressed format, attached to the email body. Upon further examination of the delivered trojans, it was discovered that more than 300 financial organizations have already fallen victim to the Astaroth trojan, also known as Guildma. As a result, Guildma poses a significant threat to both individuals and organizations globally, necessitating robust cybersecurity measures to prevent its spread and mitigate its impact.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Astaroth
1
Astaroth, a malicious software (malware), has been identified as a significant threat due to its highly developed evasive skills and information stealing capabilities. This malware infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Banking
Malware
Youtube
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GrandoreiroUnspecified
1
Grandoreiro is a malicious software (malware) that forms part of a Brazilian banking operation targeting banks worldwide. This malware, along with Guildma, Javali, and Melcoz, represents an expanding threat from Brazil that has begun to impact other countries. Grandoreiro infiltrates systems through
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Guildma Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
High-volume malware campaigns involve Google Cloud Run exploitation
MITRE
a year ago
The Tetrade: Brazilian banking malware goes global
CERT-EU
a year ago
InfoSec Handlers Diary Blog - SANS Internet Storm Center