Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

Italian Security Firm Allegedly Pushed Malware: Report

Check Point Research Claims Firm Sold CloudEyE Dropper Trojan
Italian Security Firm Allegedly Pushed Malware: Report
Note currently posted on the CloudEyE website (Source: ISMG/Check Point Research)

An Italian cybersecurity company, allegedly was a front for a criminal gang selling access to a GuLoader-related dropper Trojan known as CloudEyE, according to analysts at the security firm Check Point Research.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

The website of the firm, also known as CloudEyE, was taken down on June 10 and replaced with a message signed by a person who also had been spotted in darknet forums offering another malware strain called DarkEyE, according to the Check Point Research.

The message on the site states that CloudEyE sold legitimate security software but admits some users may have used the software for illegal purposes.

Check Point Research analysts say CloudEyE operated for four years as a legally registered Italian company running a publicly available website.

"Code randomization, evasion techniques and payload encryption used in CloudEyE [dropper] protect malware from being detected by many of the existing security products on the market," according to the Check Point Research report.

Prior to CloudEyE's site going offline, Check Point analysts found information indicating the company had more than 5,000 customers and sold three monthly levels of service for $100, $200 and $750.

GuLoader Connection

The discovery was made during Check Point's ongoing study of the dropper GuLoader, which the researchers say is used in hundreds of attacks each day to deliver a wide variety of malware. While breaking down some samples of GuLoader, researchers found them to be related to another malware variant named DarkEyE Protector.

"The DarkEyE samples have a lot in common with the GuLoader samples. They both are written in VisualBasic, contain a shellcode encrypted with 4-bytes XOR key, and have the same payload decryption procedure," according to the report.

The Check Point team then began scouring both the public internet and dark web forums for additional clues.

The team found an advertisement dating from 2014 for a supposed security software product named DarkEyE. But another search turned up an older posting for DarkEyE on a dark web forum by a user named "sonykuccio." That older posting described the software "as a crypter that can be used with different malware, such as stealers, keyloggers, and RATs [remote access Trojans], and makes them fully undetectable for antiviruses," according to the report.

DarkEyE Becomes CloudEyE

At some point, the software’s name was changed from DarkEyE to CloudEyE, with the actors behind the software claiming it could be used for "protecting Windows applications from cracking, tampering, debugging, disassembling, dumping," as quoted by Check Point from the site.

The research firm was then able to establish a link between CloudEyE and GuLoader - and thus DarkEyE. The CloudEyE site operators made this somewhat easy by linking to instructional videos on YouTube that showed similarities between GuLoader and CloudEye, according to the report.

Same URL pattern in the CloudEyE YouTube video and GuLoader samples (Source: Check Point Research)

The Check Point Research report points out in the above image: "This is a placeholder for a URL that is used in some of GuLoader samples for downloading joined files (decoy images in our previous research). Way too much coincidence for us to find it here!"

Check Point then ran a further test using CloudEyE to "protect" an app and instead found it contained GuLoader.

Additional Evidence

The researchers searched for the name sonykuccio, found with the original malware, in publicly available leaked email databases and found several entries. In a PDF that was uncovered, the name Sebastiano Dragna was found along with the email being used by sonykuccio, according to the report.

Additionally, the name Sebastiano Dragna Fabio was found in CloudEyE's privacy policy, according to Check Point Research.

Sebastiano Dragna is one of the names on the message currently posed to CloudEyE's website. But the researchers found no connections between the second name on the site's message, Ivano Mancini, and any other activity, according to the report.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.