Legit Italian company CloudEyE made more than $500,000 from selling GuLoader malware crypter to hackers and cybercriminals
This is one company that won’t ever be proud of its operations. A company called CloudEyE based in Italy was operating a legitimate website offering to provide binary protection against reverse engineering for Windows applications. But it had a dark side. It was secretly selling top malware to cybercriminals and hackers. The Italian company also secretly advertised and provided its services to malware authors.
All was going well for the malware company until its core business was noticed by security researchers who were researching the new GuLoader malware. The researchers from Check Point, MorphiSec, and Proof Point began researching GuLoader, a new malware strain that rose to become one of the most active malware operations of 2020. This ultimately led them to the main seller of GuLoader, CloudEye.
GuLoader is a portable executable (PE) file that is often observed embedded in a container file such as a .iso or .rar file. GuLoader is used predominantly to download remote access Trojans (RATs) and information stealers such as Agent Tesla/Origin Logger, FormBook, NanoCore RAT, Netwire RAT, Remcos RAT, Ave Maria/Warzone RAT, and Parallax RAT.
Researchers at Check Point found direct links of GuLoader to CloudEyE. Once they dissected the GuLoader code, they found several references in the code mentioning CloudEyE Protector, an anti-reverse-engineering software service being sold by CloudEye. Source code protection services are legal and widely used worldwide so Check Point researchers did further dirt work to find CloudEye and its owners linked to activity on hacking forums going back years.
The researchers then found the direct link of CloudEyE connection when they stumbled upon a CloudEyE binary protecting service advertised on the securitycode.eu and promoting a malware crypting service named DarkEyE. The researchers found that DarEyE was heavily advertised on hacking forums as far back as 2011.
Check Point researchers also linked three usernames and emails used to promote DarkEyE to the real-world identity of one of the CloudEyE founders, as displayed on the CloudEyE website. They found these emails and usernames linked to multiple posts on hacking forums.
CheckPoint researchers estimate CloudEyE pulled in at least $500,000 in revenues marketing their malware products. At one point in time, CloudEyE team bragged of having more than 5,000 customers on their website with some monthly plans going up to $750/month.
GuLoader seems to be their top product. A report published by Check Point lists different connections between CloudEyE and GuLoader. The most obvious is that the code of apps passed through the CloudEyE Protect app contained similar patterns with GuLoader malware samples spotted in the wild. This connection was so strong that any random app passed through the CloudEyE app would almost certainly be detected as a GuLoader malware sample, despite being a legitimate app.
After Check Point’s damning report on Monday, CloudEyE denounced the report and blamed the tool’s use for malware operations on abuses perpetrated by its users, without its knowledge. However, members of the cyber-security community dismissed the company’s statement as “poor lies” and have called on Italian authorities to investigate the company and its two founders.
Based on Check Point’s report, the two are at risk of being investigated under charges of aiding and abetting a criminal operation and money laundering. At the time of writing this article, the CloudEyE has shut down its website offering their services.