Italian company implicated in GuLoader malware attacks
While analyzing the network dropper GuLoader, researchers found an almost identical commercial software tool called CloudEye offered by a legitimate-looking Italian company.
While tracking a new security threat known as "GuLoader," researchers at Check Point Software Technologies discovered more than just a malicious software installer.
GuLoader has been on the radar of a number of security vendors this year. According to a new report this week, Check Point Research said the installer or network dropper "has been very actively distributed in 2020 and is used to deliver malware with the help of cloud services such as Google Drive," with hundreds of attacks using GuLoader being observed every day.
An investigation into GuLoader led the security vendor to the website of an Italian security software company which offered a product called CloudEye. While their operations and clearnet website appeared to be legitimate, providing software to protect Windows applications, they actually sell a product comparable to GuLoader and undetectable to antivirus software, according to Check Point.
In its report titled "GuLoader? No, CloudEye," Check Point estimates the Italian company makes a monthly income of $500,000 from sales to cybercriminals. And, according to Maya Levine, Check Point's technical marketing engineer for cloud security, it's been a legally registered Italian company operating a publicly available website for years. This form of sales is unusual because attackers commonly do their business on the dark web, Levine said. Though they aren't hiding on the dark web, finding CloudEye wasn't a simple process.
"While monitoring GuLoader we repeatedly encountered samples that our systems detected as GuLoader, but they didn't have the URL in it for downloading the payload," Levine said. "When we looked at it manually and analyzed it, we found the payload is embedded in the sample itself. It was slightly different than GuLoader -- it was something called DarkEye."
After a search for DarkEye on the dark web, Check Point researchers found multiple advertisements that described it as a cryptor that could be used with a variety of malware that would make it fully undetectable for antivirus. A closer look at who posted the advertisements led to a website whose URL was mentioned in the ads.
Maya LevineTechnical marketing engineer for cloud security, Check Point Software Technologies
"It was connected to DarkEye but it was selling a product they called CloudEye. They pretended to be legitimate and aboveboard, but they are selling basically the same thing as GuLoader," Levine said. "When we looked at the sample from CloudEye and the same we had for GuLoader, we found it almost identical. The only difference came from code randomization techniques but the actual important information in the code, the import functions, were all identical."
Check Point's report cited CloudEye's website, which states "DarkEye evolved into CloudEye! Next generation of Windows executables' protection!" Earlier versions of the website on the Internet Archive's Wayback Machine show the company was previously called DarkEye.
Not only did Check Point find CloudEye was offering a commodity downloader strikingly similar to GuLoader, it also provided video tutorials on its website of how to use it.
"Basically what they're selling is the ability to bypass cloud drive antivirus checking because Google and all those [cloud services] don't allow you to upload malware. What they're selling uses techniques to avoid being detected by a lot of these security products," Levine said.
CloudEye and cloud-based attacks
A new trend is what jumpstarted Check Point's inquiry into GuLoader initially. Earlier this year, the security vendor determined that the delivery of malware through cloud drives is one of the fastest-growing trends of 2020. Research into the trend led to the discovery of GuLoader, which has become very prevalent in the threat landscape, Levine said. According to Levine, up to 25% of all packed malware samples are GuLoader.
"We looked at how these attacks usually work. Usually there's a dropper that's sent in the form of an email, spam emails, that have an embedded attachment. An ISO file has the malicious executable then that dropper will download the malicious payload from a well-known cloud service and execute it," Levine said.
Email security vendor Proofpoint has also been tracking GuLoader. Researchers first observed it being used in December 2019 to deliver Parallax RAT and began looking into the malware in conjunction with that research. Sherrod DeGrippo, senior director of threat research and detection at Proofpoint, says GuLoader is interesting for three reasons.
"First, it's written in Visual Basic 6.0, a version of Visual Basic Microsoft stopped supporting in 2008. Second, we found that while it was new, it was being adopted very quickly by multiple threat actors. Third, it stores its encrypted payloads on Google Drive or Microsoft OneDrive, showing that threat actors are leveraging the cloud just like businesses are," DeGrippo said.
One reason attackers are turning to this method of malware delivery is the fact that it can fool a lot of humans and a lot of firewalls, Levine said.
"If humans look at the network activity and all they see is Google Drive, they'll probably dismiss that activity as legitimate even though it's contacting Google Drive to download something malicious," Levine said. "Same thing with firewalls, because the antivirus signatures aren't always distributed on a daily basis; sometimes it's a weekly basis so there's a lag these kind of attacks could take advantage of."
Evasion and disguises
Hiding under a legitimate front isn't the only sneaky part of the CloudEye dropper.
"There's a spam email with an embedded attachment; usually it's an ISO file with the malicious executable, and then they disguise the payload as a picture. The key here is that it's encrypted while it's in cloud storage; it only gets decrypted on the victim's machine," Levine said. "And what that does is make it so the cloud host can't really kick off the malicious payload because it's decrypted while it's on their servers, so they don't really know what it is."
The image file may appear as a jury summons, for example. Once it's opened and the dropper is activated, it fetches the malware payload and only stores it in memory, Levine said.
While there is some technology like sandboxing that will detect these malicious droppers, Levine said CloudEye has been a common denominator in thousands of attacks over the past year.
While this instance of threat actors standing up a "fake" company is not very common, Check Point's head of cyber research Yaniv Balmas says it is not the first case in which a cybercrime tool was sold publicly on the internet.
"In most cases it is very difficult to link the tool to a specific company, or to a specific person. In this case however it seems the amount of connections we found linking this site to the 'real world' were significant. This might mean the owners are not concerned from being exposed, as they probably believe the 'legitimacy cover' is providing them with the required legal umbrella allowing them to continue their actions even if it will be brought to the public eye," Balmas said. "The sad fact is they may be right."
SearchSecurity contacted CloudEye for comment but the company has not responded. Attempts by Check Point to reach CloudEye were also unsuccessful.
CloudEye's website was updated Wednesday with a statement from Sebastiano Dragna and Ivano Mancini, who were named in the Check Point report:
"We learned from the press that unsuspecting users would use our platform to perpetrate abuses of all kinds. Our protection software was created and developed to protect intellectual works from the abuse of hackers and their affiliates, not to sow malware around the network. Although we are not sure that what is reported by the media is true, we believe it appropriate to suspend our service indefinitely. We are two young entrepreneurs, passionate about IT security and our goal is to enrich the scientific community with our services, not to allow a distorted use of our intellectual work. We thank all our customers, who have legally used our services since 2015. Customers will be reimbursed for purchased and unused license days. For more information contact us by e-mail [email protected], you will receive an answer within 24 hours."