Guildma – a dangerous banking Trojan that targets Latin American users
Guildma is a modular malware capable of taking screenshots, capturing credentials, and stealing information in many other ways
Guildma is a sophisticated data-stealing malware that was recently discovered and analyzed by most prominent security research teams. The virus targets more than 130 Latin American banking systems and 75 local web services, with its primary goal being to steal banking, email, entertainment service, and other credentials. Threat actors behind Guildma launched multiple large campaigns that were infecting as many as 50 thousand people a day via contaminated spam email attachments. Its first emergence traces date back to 2015, although its peak was (so far) in summer/autumn of 2019. Currently, the Guildma virus is still spiking in popularity, and is currently the most prominent banking malware in Latin America, infecting ten times more victims than the second most common banking malware in the area.
|Also known as||Astaroth|
|Programming languages||Threat actors use a combination of different programming languages which the malware is written in: Delphi, JS, VBS, and others|
|Affected area||Malware is almost elusively focusing on Latin America – Brazil in particular|
|Infection means||Guildma malware is spread exclusively using spam email attachments and incorporating Facebook and YouTube profiles. Emails are sent as invoices, tax reports, and similar messages – these include a .zip file which, once opened, initiates the infection process|
|Functions||Records keystrokes, takes screenshots, proliferates other malware, emulates keyboard and mouse inputs, steals credentials of e-commerce, email, and other services|
|Risks||Loss of sensitive information (disclosure to cybercriminals), financial losses, identity theft, infection of other malware|
|Removal||The only secure way to terminate malware is by performing a full system scan with the most up-to-date anti-virus software, accessing Safe Mode as required (instructions can be found below)|
|System fix||To remediate Windows after malware infection and fix virus damage, we recommend using Reimage Reimage Cleaner Intego|
Malware infection might not be so apparent, as, just like many other Trojans, it barely emits any symptoms and performs its operations in the background, which might prevent Guildma removal for weeks or even months. In the meantime, users might be running their computers as normal, providing the most sensitive information directly to cybercriminals.
Nevertheless, most of the legitimate anti-malware solutions would be able to stop all variants of Guildma, as its main executable is recognized as follows:
- Trojan.AgentWDCR.XDE (B)
- W32/Guildma.BS!tr.spy, etc.
To remove Guildma, you will have to download and install one of the reputable AV providers, such as Malwarebytes, and perform a full system scan. Since malware is modular and might interfere with anti-malware operation, you might need to access Safe Mode with Networking and perform the scan from there. Once Guildma is terminated, you can also take care of Windows system files and fix the damage done with tools like Reimage Reimage Cleaner Intego.
Guildma distribution and infection routine
While Guildma malware is spread via spam email attachments, its method of doing so is innovative and sophisticated. To spread malicious emails, threat actors behind the malware are using mostly hacked or fake websites, where a malicious PHP code is installed. With this, the attackers can use the gathered email addresses to launch mass spam campaigns, infecting thousands of users daily.
The phishing emails come in the native (Portuguese) language and represent tax refunds, invoices, invitations, and similar events. Each of such emails is injected with a .zip file, usually named as follows: cheque.htm.zip, curriculum_.htm.zip, dados unidas rent a car.htm.zip, nota_fiscal.484.582.85.zip, etc. Such emails look professional, and many users could get tricked and open the clipped attachment.
Inside the archive, there is an obfuscated shell link (LNK) file, which calls the wmic.exe via Command Prompt to download the XSL file. The latter contains the malicious payload that begins the infection routine on the targeted machine.
To prevent infiltration of Guildma malware, users should not open attachments carelessly, as some phishing emails can look very believable. Thus, only open attachments you know are safe and are coming from a secure source. Uploading such attachments to Virus Total or similar analysis services can also help you determine whether it is malicious.
Guildma is Trojan that targets Latin America with spam email campaigns
Guildma is modular malware capable of stripping victims of the most sensitive information
Throughout its existence, Guildma was released in several different versions and has been tweaked and improved over time. While threat actors employed a variety of different programming languages, data-stealing methods, as well as infection techniques, most of the code patterns such as encryption algorithms, file names, and other components remained unchanged.
Before starting the infection routine, Guildma Trojan first checks whether it accessed a sandbox environment (or a virtual machine which is often used by security researchers to analyze malware samples and their operation principles), and only proceeds if it detects a regular “user” machine. It will also not infect machines that are not located in the country of interest, i.e., mostly Brazil – Guildma checks keyboard language for that.
According to researchers, Guildma also checks for running applications, which is then followed by immediate data-stealing practice:
Throughout the execution, it frequently performs checks for opened windows, mostly looking for banking applications or PuTTY. These detections trigger injections, screenshots, key hooking and “flag” file creation. All these actions are orchestrated by a vast array of interacting timers with a rather complicated hierarchy.
The main module (“Module G”) is very diverse and is responsible for such operations as C&C server communication establishment (which also incorporates YouTube and Facebook profiles to retrieve the C&C servers), loading of other modules, running application tracking, and much more.
Besides the regular banker malware capabilities, Guildma is equipped with an array of modules (at least 10), each capable of performing different tasks. These tasks are not only comprised of data-stealing but also include the following functionality:
- Screenshot capture
- Keystroke capture
- System reboot
- Keyboard and mouse emulation
- Keyboard shortcut blocking (such as Alt + F4 or Ctrl + W)
- File fetching
- Implementation of secondary payloads (backdoor function)
Guildma uses a variety of tricks to make users expose their credentials. Once the malware is active on the system, it forcefully logs users out of accounts on Google Chrome, Mozilla Firefox, Internet Explorer or MS Edge, making them re-enter credential data repeatedly. This information is later sent to the C&C server via an established network connection. Guildma will also record everything typed by the keyboard and take screenshots to steal relevant information.
Guildma also has a from grabber function, which allows the virus to capture email lists from MS Outlook, Thunderbird, and other email desktop clients. This module also includes the capability of stealing data from relevant websites.
As evident, the presence of Guildma Trojan can seriously compromise the infected machine and result in financial losses, or even identity theft. Therefore, users should ensure that they would not get tricked by realistically crafted phishing emails, although protection of anti-malware software is the most critical component that would defend victims from malware intrusions.
Eliminate Guildma from the system immediately
As previously mentioned, Guildma virus can cause significant damage to the computer owner, as it can steal such sensitive data like banking, email, and other login credentials. As a result, users might see their credit card accounts being drained without permission, or goods being purchased under their names. Online banking accounts should always be monitored for unsolicited transactions. In case you noticed that your bank account was was emptied, there is a high chance you should immediately remove Guildma from your computer.
To remove Guildma malware from the system, download and install a powerful anti-malware program, bring it up to date, and perform a full system scan. This will ensure that all the malicious components, along with other possible malware, is eliminated at once. If you are struggling when trying to perform a scan, you should access Safe Mode with Networking and employ anti-malware software from there.
Additionally, if you have been a victim of Guildma attack, you should reset all your passwords after malware termination. Also, contact your bank and explained what happened, as you should close any compromised bank accounts.
To remove Guildma, follow these steps:
Remove Guildma using Safe Mode with Networking
If you are unable to remove Guildma in a regular mode, access Safe Mode with Networking:
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove Guildma
Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Guildma removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Guildma and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.
The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login.
VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.
Backup files for the later use, in case of the malware attack
Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.
It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.