For the past four years, an Italian company has operated a seemingly legitimate website and business, offering to provide binary protection against reverse engineering for Windows applications, but has secretly advertised and provided its service to malware gangs.
The company's secret business came to light after security researchers from Check Point began looking at GuLoader [1, 2, 3], a new malware strain that rose to become one of the most active malware operations of 2020.
CloudEyE app linked to defunct malware crypter DarkEyE
Check Point says it found references in the GuLoader code mentioning CloudEyE Protector, an anti-reverse-engineering software service provided by an Italian company named CloudEyE.
But while source code protection services are legal and widely used, almost by all commercial/legitimate apps, Check Point said it linked this company and its owners to activity on hacking forums going back years.
The cyber-security firm connected the CloudEyE binary protecting service advertised on the securitycode.eu website to ads promoting a malware crypting service named DarkEyE, heavily advertised on hacking forums as far back as 2014.
Furthermore, Check Point also linked three usernames and emails used to promote DarkEyE to the real-world identity of one of the CloudEyE founders, as displayed on the CloudEyE website.
In addition, Check Point says it also tracked these three email addresses and usernames to multiple posts on hacking forums.
The posts advertised malware/binary crypting services even before DarkEyE (CloudEyE's precursor), and went as far back as 2011, showing how entrenched and well-connected this user was in the cybercrime and malware community.
CloudEyE made at least $500,000
These connections apparently helped the group get their legitimate business off the ground. Check Point says the CloudEyE team bragged of having more than 5,000 customers on their website.
Based on their minimum rate of $100/month, Check Point says the group earned at least $500,000 from their service. However, the sum could be much higher if we take into account that some monthly plans can go up to $750/month, and some customers most likely used the service multiple months.
All clues point to the fact that the two CloudEyE operators attempted to legitimize their criminal operation by hiding it behind a front company as a way to justify their profits and avoid raising the suspicions of local tax authorities when cashing out their massive profits.
"CloudEyE operations may look legal, but the service provided by CloudEyE has been a common denominator in thousands of attacks over the past year," Check Point said.
GuLoader was the main customer
But while Check Point says the DarkEyE and CloudEyE tools were widely used over the past years, there is one malware operation that appears to be CloudEye's primary customer, and that's GuLoader.
In a report published this week, Check Point lays out the different connections between CloudEyE and GuLoader.
The most obvious is that the code of apps passed through the CloudEyE Protect app contained similar patterns with GuLoader malware samples spotted in the wild. This connection was so strong that any random app passed through the CloudEyE app would almost certainly be detected as a GuLoader malware sample, despite being a legitimate app.
Second, Check Point says that the CloudEyE interface contained a placeholder (default) URL that it often found in GuLoader samples.
Third, many of the CloudEyE features appear to have been specifically designed to support GuLoader operations.
"Tutorials published on the CloudEyE website show how to store payloads on cloud drives such as Google Drive and OneDrive," Check Point said.
"Cloud drives usually perform anti-virus checking and technically don't allow the upload of malware. However, payload encryption implemented in CloudEyE helps to bypass this limitation."
Such a feature makes no sense for a normal app. However, avoiding cloud scans is crucial for a malware operation, and especially for something like GuLoader -- categorized as a "network downloader -- which relies on infecting a victim computer and then downloading a second-stage payload from services such as Google Drive or Microsoft OneDrive.
CloudEyE shuts down after report
Following Check Point's damning report on Monday, CloudEyE has responded to the findings on Wednesday.
The Italian company denounced the report and blamed the tool's use for malware operations on abuses perpetrated by its users, without its knowledge.
However, members of the cyber-security community dismissed the company's statement as "poor lies" and have called on Italian authorities to investigate the company and its two founders.
Based on Check Point's report, the two are at risk of being investigated under charges of aiding and abetting a criminal operation and money laundering.