Guatambu: new multi-component InfoStealer drops Kartoxa POS Malware (Apr 08, 2016)


The Dell Sonicwall Threats Research team observed reports of a new multi-component InfoStealer family named GAV: Guatambu.AAB and GAV: Guatambu.POS actively spreading in the wild.

Guatambu malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

One major component of Guatambu contains features such as memory scrapping functions.

The Malware drops Kartoxa POS Malware on the target system.

Infection Cycle:


  • 823c663a4aecdc74e36fb224c2ff1ddc Detected as GAV: Guatambu.AAB (Trojan)
  • fa88a7c8e6779993eb70370c9263b3c3 Detected as GAV: Guatambu.POS (Trojan)

The Malware adds the following files to the system:

  • %Userprofile%Start MenuProgramsStartupWordPad.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataTaskhost.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataDwn.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataPOS.exe Detected as GAV: Guatambu.POS (Trojan)
  • %Userprofile%Application DataOutput.txt [POS Credit Card Data ]

The Malware adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsGUIDGUID=520EAFA9
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUACDisableNotify= dword:00000000

The Malware running following commands on the system:

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware starts to communicate with its own domain to see if there is new update and updates its own sample and also starts to download the POS Component Detected as GAV: Guatambu.POS (Trojan).

For Guatambu, the goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware gathers data such as following examples:

  • &admin=
  • &hid=
  • &arc=
  • &user=USERNAME
  • Full
  • &ram=
  • &cpu=
  • &gpu=

Once Guatambu Downloads the POS Component, the malware retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for Credit Card information periodically, such as following example:

Command and Control (C&C) Traffic

Guatambu performs C&C communication over TCP and UDP Protocols.

The malware sends your Computer information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Guatambu.AAB
  • GAV: Guatambu.POS
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.