Threat Research

Avast detects and protects users from malware targeting banks, Netflix

Avast, 24 July 2019

Avast protected nearly 27,000 users since the beginning of this year from more than 155,000 infection attempts made by Guildma malware

Avast has protected nearly 27,000 users since the beginning of this year from Guildma, malware that is attacking 130 banks and 75 other web services, such as Netflix, Facebook, Amazon, and Google Mail, around the world.

The Avast Threat Labs has been tracking Guildma for several months and has now published a detailed analysis of the malware. 

Guildma includes a remote access tool (RAT), spyware, as well as password stealing, and banking Trojan capabilities. Previously, Guildma targeted users and services in Brazil, only infecting computers running in Portuguese, but it has spread to other languages. It is still avoiding computers running in English. 

Guildma spreads via targeted phishing emails posing as invoices, tax reports, invitations and similar types of messages. The emails are personalized in the sense that they address their victims by name. 

Guildma crawls through infected computers to find banking-application related files, windows that may belong to these applications and even browser windows with opened e-banking sites. If it does not detect any windows or programs belonging to one of the banks from its list, Guildma searches for certain desktop email clients, and services like Netflix, Amazon, and Facebook opened in browser windows. When Guildma detects a service from its list, it is capable of taking a number of actions, including stealing login credentials and contacts, taking screenshots, intercepting mouse and keyboard clicks, remote controlling the computer, such as pressing keys, mouse-clicking, and manipulating files. Furthermore, Guildma can download additional files and execute them.

“Guildma is highly modular and complex malware supporting a wide range of functionalities, and is currently undergoing rapid development, expanding the range of targeted banks from Brazil to banks used in other Latin American countries,” said Adolf Streda, malware researcher at Avast.

Detecting Guildma

If a device is infected with Guildma, users may notice poor network connection due to screenshots being sent over the network, hogging the line, or through lagged computer responses. Guildma can also prevent certain keyboard shortcuts from working and can even log users out of accounts or close browsing windows in order to force users to log into their accounts again to steal credentials. 

Protecting against Guildma

Antivirus software, like Avast Free Antivirus can detect malware like Guildma. Additionally, users should avoid opening attachments or links included in emails appearing to be from retail companies or banks, and first verify with the supposed sender that the email really came from them.

A full analysis of Guildma can be found on the Decoded Avast blog.