Italian Security Firm Allegedly Pushed Malware: ReportCheck Point Research Claims Firm Sold CloudEyE Dropper Trojan
An Italian cybersecurity company, allegedly was a front for a criminal gang selling access to a GuLoader-related dropper Trojan known as CloudEyE, according to analysts at the security firm Check Point Research.
The website of the firm, also known as CloudEyE, was taken down on June 10 and replaced with a message signed by a person who also had been spotted in darknet forums offering another malware strain called DarkEyE, according to the Check Point Research.
The message on the site states that CloudEyE sold legitimate security software but admits some users may have used the software for illegal purposes.
Check Point Research analysts say CloudEyE operated for four years as a legally registered Italian company running a publicly available website.
"Code randomization, evasion techniques and payload encryption used in CloudEyE [dropper] protect malware from being detected by many of the existing security products on the market," according to the Check Point Research report.
Prior to CloudEyE's site going offline, Check Point analysts found information indicating the company had more than 5,000 customers and sold three monthly levels of service for $100, $200 and $750.
The discovery was made during Check Point's ongoing study of the dropper GuLoader, which the researchers say is used in hundreds of attacks each day to deliver a wide variety of malware. While breaking down some samples of GuLoader, researchers found them to be related to another malware variant named DarkEyE Protector.
"The DarkEyE samples have a lot in common with the GuLoader samples. They both are written in VisualBasic, contain a shellcode encrypted with 4-bytes XOR key, and have the same payload decryption procedure," according to the report.
The Check Point team then began scouring both the public internet and dark web forums for additional clues.
The team found an advertisement dating from 2014 for a supposed security software product named DarkEyE. But another search turned up an older posting for DarkEyE on a dark web forum by a user named "sonykuccio." That older posting described the software "as a crypter that can be used with different malware, such as stealers, keyloggers, and RATs [remote access Trojans], and makes them fully undetectable for antiviruses," according to the report.
DarkEyE Becomes CloudEyE
At some point, the software’s name was changed from DarkEyE to CloudEyE, with the actors behind the software claiming it could be used for "protecting Windows applications from cracking, tampering, debugging, disassembling, dumping," as quoted by Check Point from the site.
The research firm was then able to establish a link between CloudEyE and GuLoader - and thus DarkEyE. The CloudEyE site operators made this somewhat easy by linking to instructional videos on YouTube that showed similarities between GuLoader and CloudEye, according to the report.
The Check Point Research report points out in the above image: "This is a placeholder for a URL that is used in some of GuLoader samples for downloading joined files (decoy images in our previous research). Way too much coincidence for us to find it here!"
Check Point then ran a further test using CloudEyE to "protect" an app and instead found it contained GuLoader.
The researchers searched for the name sonykuccio, found with the original malware, in publicly available leaked email databases and found several entries. In a PDF that was uncovered, the name Sebastiano Dragna was found along with the email being used by sonykuccio, according to the report.
Sebastiano Dragna is one of the names on the message currently posed to CloudEyE's website. But the researchers found no connections between the second name on the site's message, Ivano Mancini, and any other activity, according to the report.