Guatambu: new multi-component InfoStealer drops Kartoxa POS Malware

April 8, 2016

The Dell Sonicwall Threats Research team observed reports of a new multi-component InfoStealer family named GAV: Guatambu.AAB and GAV: Guatambu.POS actively spreading in the wild.

Guatambu malware gathers confidential information from the computer such as login details, passwords; financial information sends it to its own C&C Server.

One major component of Guatambu contains features such as memory scrapping functions.

The Malware drops Kartoxa POS Malware on the target system.

Infection Cycle:


  • 823c663a4aecdc74e36fb224c2ff1ddc Detected as GAV: Guatambu.AAB (Trojan)
  • fa88a7c8e6779993eb70370c9263b3c3 Detected as GAV: Guatambu.POS (Trojan)

The Malware adds the following files to the system:

  • %Userprofile%Start MenuProgramsStartupWordPad.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataTaskhost.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataDwn.exe Detected as GAV: Guatambu.AAB (Trojan)
  • %Userprofile%Application DataPOS.exe Detected as GAV: Guatambu.POS (Trojan)
  • %Userprofile%Application DataOutput.txt [POS Credit Card Data ]

The Malware adds the following keys to the Windows registry:

  • HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsGUIDGUID=520EAFA9
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterUACDisableNotify= dword:00000000

The Malware running following commands on the system:

Once the computer is compromised, the malware copies its own Executable files to Userprofile folder.

The malware starts to communicate with its own domain to see if there is new update and updates its own sample and also starts to download the POS Component Detected as GAV: Guatambu.POS (Trojan).

For Guatambu, the goal is to collect as much data as possible; the more details about the user that end up in the hands of the remote attacker, the bigger the potential profit.

The malware gathers data such as following examples:

  • &admin=
  • &hid=
  • &arc=
  • &user=USERNAME
  • Full
  • &ram=
  • &cpu=
  • &gpu=

Once Guatambu Downloads the POS Component, the malware retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for Credit Card information periodically, such as following example:

Command and Control (C&C) Traffic

Guatambu performs C&C communication over TCP and UDP Protocols.

The malware sends your Computer information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Guatambu.AAB
  • GAV: Guatambu.POS