From cb422c21900038648faa5f19de20e426a85d09eb Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 24 Aug 2022 14:07:01 +0200 Subject: [PATCH] update Guildma --- clusters/rat.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index f9c5e10..4d199ed 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3480,9 +3480,12 @@ "description": "The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.", "meta": { "refs": [ - "https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil" + "https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil", + "https://www.securityweek.com/extensive-living-land-hides-stealthy-malware-campaign", + "https://isc.sans.edu/diary/rss/28962", + "https://otx.alienvault.com/pulse/6303804723bccc7e3caad737?utm_userid=alexandre.dulaunoy@circl.lu&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed" ], - "synonyms": [] + "synonyms": ["Astaroth"] }, "uuid": "833ed94d-97c1-4b57-9634-c27bf42eb867", "value": "Guildma" @@ -3531,5 +3534,5 @@ "value": "Ragnatela" } ], - "version": 38 + "version": 39 }