While analyzing a Guildma (AKA Astaroth) sample recently uploaded to MalwareBazaar [1], we came across a chain of LOLBIN abuse. It is not uncommon to see malicious code using the LOLBIN ‘bitsadmin.exe’ to download artifacts from the Internet. However, what is interesting in this case is that Guildma first copies ‘bitsadmin.exe’ to a less suspect path using ‘colorcpl.exe’, another LOLBIN, before executing it.
Article Link: https://isc.sans.edu/diary/rss/29814