skip to Main Content

Italian company earned up to $ 500,000 helping cybercrime to deliver malware

Checkpoint: An Italian company earned up to $ 500,000 helping cybercrime to deliver malware

An Italian company exposed on Clearnet earned up to $ 500,000 helping cybercrime to deliver malware using cloud drives. It has been discovered by Checkpoint cyber security experts, who are monitoring the network dropper known as GuLoader, which has been very actively distributed in 2020 and is used to deliver malicious code with the help of cloud services such as Google Drive. The researchers repeatedly encountered samples that were detected as GuLoader, but they did not contain URLs for downloading the payload. During manual analysis of such samples, they found that the payload is embedded in the sample itself. Those samples appear to be related to DarkEyE Protector.

The cyber security experts discovered GuLoader-DarkEyE Protector evolution: CloudEyE. It is sold by the website securitycode.eu 

The cyber security experts searched for “DarkEyE Protector” on the web and found a thread from 2014 in which it was advertised by a user known as “xor”. They also found some earlier ads for DarkEyE on the same website, posted by the user “sonykuccio”. Then, in one of the adds is mentioned the website securitycode.eu. However, currently this website focuses on another product – CloudEyE. The company pretends to be legitimate. As said on their website, the security software is intended for “Protecting windows applications from cracking, tampering, debugging, disassembling, dumping.” But, the website contains also several YouTube video tutorials on how to use CloudEyE, and, as it turned out, how to abuse Google Drive and OneDrive. Moreover, watching one of the videos on this website, researchers noticed the same URL patterns as they have seen earlier in GuLoader. Finally, they tested that the two softwares are the same.

The people behind the firm are Italians and one, Sonykuccio, is an old acquaintance of the infosec community

Chepoint tried also to find who was behind DarkEyE Protector-CloudEyE-GuLoader. The researchers looked for the emails and usernames in publically available leaked email databases and managed to find several entries related to “sonykuccio”. In one of them, they found an italian name. It’s the same of the one in the Privacy Policy section on the website securitycode.eu. Moreover, Sonykuccio is an old and established visitor to hacker forums. the cyber security experts saw that he started selling DarkEyE in the beginning of 2011. But even before creating DarkEyE protector, he was already providing services for protecting malware against anti-viruses (FUD service) and a spreading service for malware. Finally, it’s the same company that explains its revenues. The website claims that their customer base numbers over 5,000. As they sell their basic package for $ 100 per month, this allows us to estimate their monthly income at $ 500,000.

Back To Top