A new variant of the information stealer Guildma (aka Astaroth) we analyzed last week is accessing Facebook and YouTube to get a fresh list of its C2 servers. The C2 list is encrypted and hosted in two Facebook and three YouTube profiles maintained and constantly updated by the cybercriminals.
This innovative strategy is probably helping the current infections to resist to expected C2 takedowns as access to Facebook and YouTube are usually allowed and not associated with malicious code activities.
The ongoing campaign has 76 C2 servers (and counting) and its main target is South America - especially Brazil. An analysis of a different variant made by Avast late last month  reported that 155,000 infections were blocked just by their own solution.
In this diary, we provide details on how Guildma employs its multiple-stage and evasion techniques from the infection to data exfiltration.
Follow the numbers in blue in the image above and the descriptions of each step below:
1. E-mail Phishing
As usual, the campaign starts with an e-mail phishing. The message supposedly comes from MINISTÉRIO PÚBLICO FEDERAL of Brazil, has no attachment but urges the user to click on a link. Take a look at the message:
2. The phishing link
A good tool to analyze "LNK" files is LECmd by Eric Zimmerman .
Most of the 11 files have disguising extensions, like JPG and GIF. However, just a few have meaningful content, like (halawxtz64a.dll and halawxtz64b.dll). These two files concatenated forms a DLL file which is loaded in the next stage. Most of the other files are encrypted using a custom algorithm.
4. DLL side loading
In this stage, it is employed a technique called DLL side-loading in which a legit program, intended to load its legit DLLs end up loading a malicious DLL with the same name from the current or from a specified path. Know more about DLL side-loading at .
The side-loading technique, in this case, is employed using the program “C:\Program Files (x86)\Internet Explorer\ExtExport.exe”. ExtExport is a legit binary part of Internet Explorer installation which loads DLLs named mozcrt19.dll, mozsqlite3.dll or sqlite3.dll from the specified path given as an argument. The perfect candidate for the job.
The ExtExport is loaded with the argument "C:\Users\Public\Libraries\win32" which contains the dropped files and the concatenation of halawxtz64a.dll and halawxtz64b.dll files, as seen below.
5. Process Hollowing
Now, the malicious DLL running under the ExtExport process employs another evasive technique called Process Hollowing. Process Hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code .
The "process-hollowed" program in this scenario is "C:\Program Files\Diebold\Warsaw\unins000.exe". It is part of Diebold Warsaw installation—a security suite largely used and installed in most systems used to access online banking in Brazil.
The content injected in the suspended unins000.exe process memory is the concatenation of halawxtzxa.~ and halawxtzxb.~ files. After the memory injection, the process is resumed (ResumeThread) as seen in the following image.
6. Obtaining C2 addresses in an innovative way
There are some suspect addresses hardcoded into the binaries, however, the C2 addresses used to exfiltrate data are obtained from Facebook and Youtube profiles maintained and constantly updated by the cybercriminals.
Take a look at the DNS requests to YouTube and Facebook shortly before a C2 name resolution.
Following two of the Facebook and YouTube requested URLs, we reached the following contents:
The suspecting content, between "|||" marks, is base64 encoded. However simple decoding isn't enough as the data is encrypted as well. For example, base64 decoding the sequence "Sm5EblBrT25HbkluRm5BbVVtU25…" results in "JnDnPkOnGnInFnAmUm…", which is not meaningful.
Analyzing a little bit deeper the malware code, specifically at the moment it reaches Facebook and YouTube URLs, it was possible to understand the decryption process and reverse it.
To make things easy, we created a Python script to automate the job, as seen below.
Applying this decryption function to one of this campaign's Facebook post we got a list of multiple addresses that would later be used by the malware as C2 servers:
It's important noting that this is just part of the C2 addresses used in this campaign. Thanks to Facebook's editing history feature, it was possible to decrypt all messages from June 30, 2019, to now.
The result is a list of 76 unique C2 servers.
7. Running information stealers
Once C2 addresses are loaded, the malware starts loading the information stealers modules. The code for each information stealer is decrypted from the dropped files, like "halawxtza.jpg", and instanciated as child processes.
One of the modules focuses on stealing passwords stored in different applications, like Web Browsers and E-mail Clients, as seen below.
The captured information, including screen captures, is encrypted and stored in files inside the path “C:\Users\Public\Libraries\win32”, as seen below.
8. Data exfiltration
The captured data is sent to one of the C2 servers retrieved in step 6.
In the example below, the information is sent to C2 "soy-tower-248822[.]appspot[.]com" via HTTPS.
Additionally to SSL, the exfiltrated data receive two layers of encryption. One to tell the C2 the filename and the other for its content.
Final commentsThis sample shows us the importance of truly understanding threats' TTPs (Tactics, Techniques, and Procedures) in addition to simply using IP and file hashes indicators - it reminds me of the Pyramid of Pain concept . An environment infected with this variant of Guildma relying solely on blocking C2 IP addresses as they are discovered, would not stop the threat as fresh C2 addresses may be continually retrieved from apparently trusted sources.
Facebook and YouTube were reported about the profiles involved in this malicious campaign.
Facebook and YouTube URLs
Aug 20th 2019
6 months ago