Checkpoint: An Italian company earned up to $ 500,000 helping cybercrime to deliver malware
An Italian company exposed on Clearnet earned up to $ 500,000 helping cybercrime to deliver malware using cloud drives. It has been discovered by Checkpoint cyber security experts, who are monitoring the network dropper known as GuLoader, which has been very actively distributed in 2020 and is used to deliver malicious code with the help of cloud services such as Google Drive. The researchers repeatedly encountered samples that were detected as GuLoader, but they did not contain URLs for downloading the payload. During manual analysis of such samples, they found that the payload is embedded in the sample itself. Those samples appear to be related to DarkEyE Protector.
The cyber security experts discovered GuLoader-DarkEyE Protector evolution: CloudEyE. It is sold by the website securitycode.eu
The cyber security experts searched for “DarkEyE Protector” on the web and found a thread from 2014 in which it was advertised by a user known as “xor”. They also found some earlier ads for DarkEyE on the same website, posted by the user “sonykuccio”. Then, in one of the adds is mentioned the website securitycode.eu. However, currently this website focuses on another product – CloudEyE. The company pretends to be legitimate. As said on their website, the security software is intended for “Protecting windows applications from cracking, tampering, debugging, disassembling, dumping.” But, the website contains also several YouTube video tutorials on how to use CloudEyE, and, as it turned out, how to abuse Google Drive and OneDrive. Moreover, watching one of the videos on this website, researchers noticed the same URL patterns as they have seen earlier in GuLoader. Finally, they tested that the two softwares are the same.
The people behind the firm are Italians and one, Sonykuccio, is an old acquaintance of the infosec community