Avast protected nearly 27,000 users since the beginning of this year from more than 155,000 infection attempts made by Guildma malware
Avast has protected nearly 27,000 users since the beginning of this year from Guildma, malware that is attacking 130 banks and 75 other web services, such as Netflix, Facebook, Amazon, and Google Mail, around the world.
The Avast Threat Labs has been tracking Guildma for several months and has now published a detailed analysis of the malware.
Guildma includes a remote access tool (RAT), spyware, as well as password stealing, and banking Trojan capabilities. Previously, Guildma targeted users and services in Brazil, only infecting computers running in Portuguese, but it has spread to other languages. It is still avoiding computers running in English.
Guildma spreads via targeted phishing emails posing as invoices, tax reports, invitations and similar types of messages. The emails are personalized in the sense that they address their victims by name.
Guildma crawls through infected computers to find banking-application related files, windows that may belong to these applications and even browser windows with opened e-banking sites. If it does not detect any windows or programs belonging to one of the banks from its list, Guildma searches for certain desktop email clients, and services like Netflix, Amazon, and Facebook opened in browser windows. When Guildma detects a service from its list, it is capable of taking a number of actions, including stealing login credentials and contacts, taking screenshots, intercepting mouse and keyboard clicks, remote controlling the computer, such as pressing keys, mouse-clicking, and manipulating files. Furthermore, Guildma can download additional files and execute them.
“Guildma is highly modular and complex malware supporting a wide range of functionalities, and is currently undergoing rapid development, expanding the range of targeted banks from Brazil to banks used in other Latin American countries,” said Adolf Streda, malware researcher at Avast.
If a device is infected with Guildma, users may notice poor network connection due to screenshots being sent over the network, hogging the line, or through lagged computer responses. Guildma can also prevent certain keyboard shortcuts from working and can even log users out of accounts or close browsing windows in order to force users to log into their accounts again to steal credentials.
Antivirus software, like Avast Free Antivirus can detect malware like Guildma. Additionally, users should avoid opening attachments or links included in emails appearing to be from retail companies or banks, and first verify with the supposed sender that the email really came from them.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.