Brazil is Still the Main Target of the “Guildma” Banking Trojan

• The Guildma banking Trojan is still under active development and extensive deployment in Brazil.
• The malware can split its functionality over 10 individual modules, and do all kinds of nasty tricks.
• The activity of Guildma spiked last summer, and it has ten times more victims than the next biggest threat.

ESET places “Guildma” under the microscope, warning Brazilian internet users of the dangers that come with the popular banking Trojan. The telemetry of the analysts indicates that Guildma, which is also known as “Astaroth”, is probably the most impactful malware of its kind in the area, targeting financial institutions, stealing people’s credentials and email accounts, causing trouble to streaming platforms, grabbing payment data from e-shops, and generally having a widespread presence on the Brazilian cyberspace. In comparison to other Trojans, Guildma is very innovative and sophisticated and counts ten times more victims than the next most successful malware in Latin America.

Guildma is a modular malware that currently consists of ten individual modules. Its main functions include the following:

• Take screenshots from the infected machine.
• Capture the user’s keystrokes.
• Emulate keyboard and mouse input.
• Block shortcuts like “Alt+F4” to prevent the user from closing overlays and fake windows.
• Fetch and execute files and additional payloads.
• Restart the infected machine.

The main channel of distribution for Guildma is through spam emails that carry malicious attachments, and this has been the case for over a year now. The emails purportedly come from financial institutions, the Department of Finance, or they just call the user to open the attachment to access revealing images. The actors are rotating their distribution techniques, so as to trick the recipients and maintain a certain variety.

The first signs of Guildma’s activity were captured by ESET in October 2018, while spikes in its deployment occurred during the summer of 2019, December 2019, and January 2020. Of course, the actors are still using the Trojan extensively, and at the same time, they are updating it with notable dedication. The latest version number “152” came out today, while 151 was released in January and 150 in December.

Back in version 138, the developers of Guildma had experimented by adding support to target international banks. However, no campaigns of this kind were recorded by ESET or other researchers, and the particular functionality was scrapped with version 145. Guildma remains focused in the Brazilian market, and all entities in the Latin American country are advised to be very careful. Right now, most AV solutions will identify and flag Guildma's modules, as it shares common components with other known malware strains like the Casbaneiro and Mispadu.