“CloudEye” Aiding Crooks Spread Malware by Offering Its Crypter Solution

• An Italian “protection” software provider has been discovered to be the author of the GuLoader malware.
• Researchers have compared samples created with the company’s crypter, and they are matching the droppers used in malicious campaigns.
• The website of the security firm is even hosting video tutorials that explain how to abuse cloud services.

An Italian IT security solutions provider named “CloudEye,” formerly known as “DarkEye,” has been helping crooks spread malware around via GuLoader, receiving millions of Euros in exchange. The discovery was the work of CheckPoint researchers who figured that something was off when they analyzed various samples of the recent GuLoader malware distribution campaign. The dropper samples appear to have similarities with the “Dark Eye Protector” product that has been advertised as a security software tool by the Italians since 2014. However, the “protector” is nothing else than a crypter that is quite popular in the underground scene.

In fact, CheckPoint has located old posts promoting “DarkEye Protector” on the dark web, emphasizing that the powerful crypter and code obfuscator is a totally legal piece of software and that its authors don’t take any responsibility on how the buyers choose to use it. They obviously knew what the primary use of their software tool was going to be since the very beginning, and promoting it on dark web forums is a clear proof of where they believed their primary market was.

On the company’s website that pretends to be a legitimate IT protection software developer, there are video tutorials that showcase how to abuse cloud services such as OneDrive and Google Drive. Recent GuLoader campaigns have spread malware precisely in this manner. So, the CheckPoint researchers thought they should just encrypt an executable using the CloudEye solution, and then compare the resulting build with recent GuLoader samples. Sure enough, the similarity analysis yielded the expected results, and so the GuLoader malware does seem to be a product of CloudEye’s solution.

As for who is behind “CloudEye,” multiple evidence points to the same identity, Dragna Sebastiano Fabio. This is the person behind email addresses used on hacker forums, the one mentioned in the Cloud Eye’s privacy policy, and the holder of the PayPal address offered as a payment method on the dark web.

Finally, according to the sales figures provided on the CloudEye website, the Italian company has sold over 5,000 “protection” tools. The basic package is sold at a subscription rate of $100 per month, and so the firm is making at least half a million Euros every month. With all that has been brought to light by CheckPoint, D. S. Fabio will have to give a lot of explanations to the Italian law enforcement authorities, which should be on their way to Catania.