Earlier this month, a new variant of the Guildma information stealer was analyzed by the Internet Storm Center (ISC). The malware’s new campaign has been seen targeting various countries in South America, with the highest number of infections recorded in Brazil. It seems that Guildma is spreading quickly, with another recent campaign reaching over 150,000 infection attempts in a matter of weeks.

The malware is spread via phishing emails, supposedly sent by the Federal Public Ministry of Brazil, containing malicious links. The link downloads a ZIP file containing another ZIP file, which in turn contains a LNK file that executes a malicious JavaScript. The machine is infected, Guildma accesses Facebook and YouTube profiles created by the cybercriminals that host encrypted lists of its C2 servers.

This new Guildma variant was brought to our Security Research Team’s attention via an OTX (Open Threat Exchange) pulse, including a link to a report by ISC. Their in-depth analysis noted that this ongoing campaign has 76 C2 servers (and counting), so our team set out to analyze the IOCs and discover additional C2 servers in the malware’s infrastructure.

In this use case, we will show how our analysis team used free open-source analysis tools mentioned in previous posts to analyze Guildma C2 domains.

Since all of the variant’s C2s are appspot[.]com subdomains, our team chose to start off with the domain mentioned in the ISC report as a C2 server request example - soy-tower-248822[.]appspot[.]com.

(Photo credit: ISC)

 

A VirusTotal search on the domain, and a random handful of other domains from the report, showed that a number of the C2s in ISC’s list share a relation to a downloaded file called “xbd2” or “australia.html” (same file).

 

Although the file was deemed clean by the VirusTotal scan, our analysts used VT’s relations graph to examine the related domains and URLs, finding 40 additional, related appspot[.]com subdomains (shown below).

 

Looking at the domain list, it’s clear that many of the newly found domains’ syntaxes, such as praxis-water-248822[.]appspot[.]com and woven-mesh-248688[.]appspot[.]com, are very similar to the published Guildma C2s.

Although we cannot yet be completely certain that these domains are Guildma C2 domains, the relation and resemblance between them and the original published domains provide a fair amount of suspicion for their maliciousness.

 

Want to hear more about the tools and platforms mentioned in this use case?

Check out our previous posts in this series:

Part 1: Why use IOCs?

Part 2: Threat Exchanges and IOC Sharing

Part 3: Analyzing Threat Infrastructure

Part 4: Enrichments and Connecting the Dots

Part 5: Emotet Banking Trojan Use Case

Want to see more IOC analysis use cases?

Check out recent analyses posted by our Security Research Team, using similar analysis concepts - Riltok Mobile Banking Trojan Analysis, Roaming Mantis Cryptomining Malware Analysis.

 

If you haven't yet, subscribe to our blog so you don't miss out on this series and other posts from our experts around all things cyber security. For more information about ThreatSTOP and proactively using threat intelligence, check us out below.

Get a Demo