Researchers at Avast have published a detailed analysis of a banking trojan they call Guildma.
Guildma originates in Brazil. In an analysis of the Brazilian hacking scene, Recorded Future
noted that cultural (language isolation) and stringent banking rules have largely kept Brazilian banking malware within Brazil; but warned that this would probably not last forever. Guildma seems to be a case in point.
Avast has detected around 155,000 infection attempts this year alone. Ninety-eight percent are still in Brazil, but the malware is now also targeting 130 banks and web services such as Netflix, Facebook, Amazon, and Google Mail, around the world -- although still avoiding computers running in English.
Detections began to spike in May 2019, peaking in June 2019, but ongoing. It was in May that the hackers expanded their pool of bank targets, and also began targeting around 75 other web services around the world.
Guildma is distributed through targeted phishing, with victims addressed by name. The emails include a ZIP archive attachment containing a malicious LNK file. If this is opened, it uses WMI to silently download an XSL file, which in turn downloads all Guildma's modules via BITSAdmin, and executes a first stage loader that loads the modules.
