An Italian company that sells what it describes as a legitimate encryption utility is being used as malware packer for the cloud-delivered malicious GuLoader dropper, claim researchers. The tool, according a recent investigation, creates GuLoader samples and helps the malware avoid antivirus detection.
For its part, the company claims it has taken steps to prevent bad actors from using its wares for ill.
According to researchers at Check Point, the company identified as CloudEyE is looking to take a piece of the traditional packer and crypter market – a thriving arena that caters to malware authors looking for obfuscation for their wares.
GuLoader is a widespread dropper that compromises targets and then delivers second-stage malware. It’s been constantly updated over the course of 2020, according to Check Point, with new binaries sporting sandbox evasion techniques, code randomization features, command-and-control (C2) URL encryption and additional payload encryption.
“As a result, we can reasonably assume that behind GuLoader there is a major new service” providing various forms of encryption, according to the researchers.
Further investigation uncovered just such a service, which researchers said is “created and maintained by an Italian company that pretends to be completely legitimate and aboveboard, and even has a website in Clearnet that uses the .eu domain zone,” the analysis concluded.
When Threatpost reached out to CloudEyE, a spokesperson said that the company “can help [security researchers] by revoking CloudEyE licenses to the users who are abusing our product.” The person added, “CloudEyE is not connected anymore to hack forums or other hackers’ forums.”
From DarkEyE to to CloudEyE to GuLoader
In Check Point’s recent investigation of GuLoader, which has ramped up its activity so far this year, the firm noticed that another malware sample was being flagged at as a variant of the dropper. However, there was one crucial difference – these samples did not contain URLs for downloading a second payload.
Further investigation pointed to the malware being something called DarkEyE Protector, which shows up in underground forum threads from as far back as 2014, posted by a user called “sonykuccio.”
“The ads describe DarkEyE as a crypter that can be used with different malware such as stealers, keyloggers and RATs (remote access trojans), and makes them fully undetectable for antiviruses (FUD),” said the researchers. “This left us with no doubt that this software was developed to protect malware from discovery by antiviruses, as the authors didn’t forget to emphasize that they ‘don’t take any responsibility for the use’ of DarkEyE.”
The DarkEyE samples have much overlap with GuLoader samples. Both are written in VisualBasic, contain a shellcode encrypted with 4-byte XOR keys, and have the same payload decryption procedure – which explains the mistaken identity within Check Point’s antimalware analysis.
The ads for DarkEyE contain a website address to go to for more information: securitycode[.]eu. Fast forward to 2020, and that same address is now focused on what appears to be a related product, called CloudEyE. This is advertised as security software intended for “protecting Windows applications from cracking, tampering, debugging, disassembling, dumping,” according to the site.
“But [elsewhere on the website] contains several YouTube video tutorials on how to use CloudEyE, and, as it turned out, how to abuse Google Drive and OneDrive,” according to Check Point. “[These] show how to store payloads on cloud drives…which usually perform antivirus checking and technically don’t allow the upload of malware. However, payload encryption implemented in CloudEyE helps to bypass this limitation.”
And further, those videos contained the same URL pattern that’s found in GuLoader samples.
“[The pattern is] a placeholder for a URL that is used in some of GuLoader samples for downloading joined files (decoy images in our previous research),” the researchers said. “Way too much coincidence for us to find it here!”
The analysts, following a hunch, downloaded CloudEyE and used it to encrypt an executable file, turning it into a full-fledged binary that can unpack itself and fetch additional payloads – just like GuLoader. In the results of the emulation, Check Point found that CloudEyE produces samples that are indeed universally acknowledged as GuLoader malwar.
“We decided to analyze it manually and compare with a real GuLoader sample that we saw in the wild,” the researchers said.
Using a recent GuLoader sample which downloads the Formbook malware, the researchers decrypted the shellcode from both CloudEyE and GuLoader.
“To make it harder for automatic analysis and probably also to prevent automatic decryption, the shellcode starts from a random stub and is prepended with a jump over this stub,” Check Point’s analysis explained. “In both samples, the same space on the stack is reserved for a structure with global variables. Variables in the structure have the same offset. Most of the code chunks differ only due to the applied randomization techniques. The useful code is the same in both samples.”
Also, the URLs for downloading the payload are the same, too.
“We can therefore conclude that the samples are almost identical and differ only generally due to applied code randomization techniques,” according to the analysts.
Even so, the CloudEyE spokesperson said that DarkEyE Protector was never meant to be malicious — rather, it has been cracked, tampered with and abused multiple times, which is why the project was discontinued. “You can see some YouYube videos as proof,” the person said.
As for who’s behind CloudEye, Check Point researchers started with the “sonykuccio” name found in the DarkEyE ads.
“Sonykuccio is an old and established visitor to hacker forums,” the researchers explained. “We saw that he started selling DarkEyE in the beginning of 2011. But even before creating DarkEyE Protector, Sonykuccio was already providing services for protecting malware against anti-viruses (FUD service) and a spreading service for malware.”
Running the name and associated email address through publicly available leaked email databases turned up several entries related to “Sonykuccio,” including a hit that tied the email address to the name “Sebastiano Dragna.”
The website indeed frames CloudEyE as having been developed by a legitimate company, and the spokesperson maintains that hacking is behind any tie to Sonykuccio: “We do not have any connection to ‘sonykuccio’ because that account has been compromised through some leaks.”
Nonetheless, the obfuscated malware that Check Point said is created by CloudEyE – GuLoader, in other words – is showing up in hundreds of attacks every day in different campaigns, researchers said – most of them rolled out by unsophisticated threat actors. In fact, up to a quarter of all packed samples that Check Point detects are GuLoaders. The dropper in turn delivers “a huge number of malware types,” from many different threat actors.
“CloudEyE operations may look legal, but the service provided by CloudEyE has been a common denominator in thousands of attacks over the past year,” Check Point concluded. “Code randomization, evasion techniques and payload encryption used in CloudEyE protect malware from being detected by many of the existing security products on the market. Surprisingly, such a service is provided by a legally registered Italian company that operates a publicly available website which has existed for more than four years.”