DarkEyE Evolves Into CloudEyE as a Front For Malware Operations

Across the globe, several companies develop and sell cyber-espionage tools, which are often misused in cyberattacks. However, some illegitimate actors also operate in dubious ways to dodge law enforcement by taking the pretext of providing legitimate tools or networking testing services. One such Italian company has been found secretly advertising and providing its service to malware gangs.

An (il)legal malware service

The company named CloudEyE advertised a binary protecting service (CloudEyE Protector) on the securitycode[.]eu portal. This portal, in the past, was used to offer ads for DarkEyE, a malware crypting service.
  • In June 2020, while analyzing attacks involving GuLoader malware, Check Point researchers found references in the GuLoader code mentioning CloudEyE Protector, a service by CloudEye.
  • The GuLoader malware was upgraded to replace traditional packers and cryptors, by adding the DarkEyE cryptor payload.
  • Three usernames (sonykyccio, xsebyx, and Sebyno) were used to promote DarkEyE on Dark Web. These all avatars belong to the Dragna Sebastiano Fabio. Another name ‘Ivano Mancini’ was used in multiple posts on hacking forums.

More on GuLoader

GuLoader, written partly in VB6, frequently appeared as a malware loader and one of the most advanced downloaders.
  • In April 2020, threat actors migrated to accounts on well-known cloud services such as Dropbox and Google Drive to download and execute malicious payloads such as GuLoader and others.
  • In early April, GuLoader was found spreading Remcos RAT as the final payload in a targeted phishing email against a major bank.
  • In March 2020, GuLoader operators were seen delivering malware through the cloud-based drives (such as Google Drive or Microsoft OneDrive).

What did CloudEyE say?

  • CloudEyE blamed the tool's use for malware operations on abuses by its users without its knowledge.
  • It has shut down its website that offered these services.

The bottom line

The cyberspace is filled with a spectrum of actors, many of whom skirt the boundaries between legitimate business practices and illicit operations to earn more revenue by getting involved in cyberattacks. Organizations globally should take precautions so as to avoid doing business with such illicit actors.