all InfoSec news
Guildma is now abusing colorcpl.exe LOLBIN, (Fri, May 5th)
Malware Analysis, News and Indicators - Latest topics malware.news
While analyzing a Guildma (AKA Astaroth) sample recently uploaded to MalwareBazaar [1], we came across a chain of LOLBIN abuse. It is not uncommon to see malicious code using the LOLBIN ‘bitsadmin.exe’ to download artifacts from the Internet. However, what is interesting in this case is that Guildma first copies ‘bitsadmin.exe’ to a less suspect path using ‘colorcpl.exe’, another LOLBIN, before executing it.
Article Link: https://isc.sans.edu/diary/rss/29814
1 post - 1 participant
abuse abusing artifacts astaroth bitsadmin case code download guildma internet lolbin malicious malwarebazaar may uncommon what is