Adolf Středa
Last known affiliation: Gen™
Adolf Středa 🗣 | Luigino Camastra 🗣 | Jan Vojtěšek 🗣
Abstract (click to view)
For several months now, we have been tracking a malware campaign called Guildma. Guildma is powerful combination of a RAT (remote access tool), spyware, password stealer and banker malware, mainly distributed via malicious attachments in phishing emails. The cybercriminals behind Guildma have primarily focused on targeting Brazilian users and services , but since May 2019 they have expanded their range and are now targeting more than 130 banks and 75 other web services around the world. In our analysis, we present the infection process and a detailed description of Guildma’s modules. Due to the time-span covered by this research, we were also able to provide details about the evolution of Guildma.
Jan Sirmer 🗣 | Adolf Středa 🗣
Abstract (click to view)
Monitoring botnets is a crucial component of cybersecurity, but it’s not everyday we see a botnet spreading scripts with bot capabilities. At the end of April 2018, while monitoring one of the branches of the Necurs botnet, we observed new scripts being distributed by the botnet.
In our presentation we will dive into the results of our analysis of scripts with bot capabilities, spread by a botnet. The analyzed scripts were spread by the Necurs botnet through spam emails, and while the initial infection chain was rather short, the multiple stages thereafter included capabilities to make it a fully fledged botnet.
The distribution of the these scripts is an interesting step out from the standard behavior of the Necurs botnet, and we will therefore share information about the Necurs’ branch we are monitoring, the changes it underwent in a year, and detailed analysis of the script bot itself. As the code involved in the infection chain was not heavily obfuscated, the analysis will be interlaced with code examples.
Our analysis provides detailed information about the function and behavior of the scripts, the origin of the information and a comparison of the scripts’ versions over time. After we explore the scripts’ whereabouts, we will again dive more deeply into the Ammyy-like malware infection chain.