#Guildma using another LOLBIN colorcpl.exe as alternative to copy bitsadmin to different path before executing

https://isc.sans.edu/diary/rss/29814

2023-01-03 (Tuesday) and 01-04 (Wednesday): Doing this as a separate post as well...

Follow-up on activity reported in today's (2023-01-05) ISC diary at: https://isc.sans.edu/diary/More%20Brazil%20malspam%20pushing%20Astaroth%20%28Guildma%29%20in%20January%202023/29404

A more complete list of indicators, #pcap files, and #Astaroth (#Guildma) malware samples now available at: https://malware-traffic-analysis.net/2023/01/04/index.html

On the first pcap, I opened the banco.bradesco site in a web browser after letting the infection run overnight. So that particular traffic was -not- caused by the malware.

After opening that banking website, the infected host immediately generated more HTTP POST requests, sending encoded data to the C2 server.

@sans_isc A more complete list of indicators, #pcap files, and #Astaroth (#Guildma) malware samples from this diary are now available at: https://malware-traffic-analysis.net/2023/01/04/index.html

ISC diary: @malware_traffic finds more #malspam pushing #Astaroth (#Guildma) in January 2023 https://i5c.us/d29404

Ghimob Android Banking Trojan Targets 153 Mobile Apps - A banking trojan is targeting mobile app users in Brazil - and researchers warn that its operator ... https://threatpost.com/ghimob-android-banking-trojan/161075/ #mobilesecurity #bankingtrojan #cybercriminal #bankingfraud #mobileapp #android #guildma #tetrade #brazil #ghimob #google