La empresa italiana de TI CloudEyE colaboró ​​con operadores de ransomware

CloudEyE collaborated with ransomware operators

Durante unos cuatro años, the Italian company CloudEyE was engaged in a seemingly legal business, offering protection of binaries from reverse engineering for Windows applications, sin embargo, al mismo tiempo, CloudEyE secretly advertised its services on the black market and collaborated with ransomware operators.

Expertos en puntos de control discovered this when they began to investigate the activities of the GuLoader malware, activity of which has significantly increased since 2020.

Researchers claim to have found in GuLoader code references to CloudEyE Protector, a security solution created by CloudEyE.

“And if usually such products for protecting source code are completely legal and widely used by developers of majority of commercial applications, then in this case, researchers are confident that CloudEyE and its owners have been active in hacker forums for many years”, – dijeron los expertos de Check Point.

The fact is that Check Point analysts were able to link the CloudEyE security product, promoted on the securitycode.eu website, with the advertising of a crypto service for the malware, DarkEyE, which was widely advertised on hacker forums back in 2014. Además, experts also linked the three users and three email addresses seen in the DarkEyE promotion to the real identity of one of the founders of CloudEyE.

CloudEyE collaborated with ransomware operators

Researchers write that these email addresses and usernames appear in a number of posts on hacker forums. These publications advertise binary and encryption services, with messages referring back to DarkEyE.

Basado en esto, experts conclude that the person hiding under these pseudonyms for a long time was tightly connected with the community of cybercriminals. Experts believe that old ties helped the company to start a legitimate business. Así que, on the official website, CloudEyE developers boast that the company has more than 5,000 clientes.

“Based on the minimum rate of $100 por mes, en total, the company earned at least $500,000. Sin embargo, the amount can be much larger if you take into account that the cost of some monthly subscriptions can reach up to $ 750, and many customers have obviously used this service for several months”, – calculated Check Point experts.

Researchers say that all the «evidencia» indicates that CloudEyE operators tried to legitimize their criminal activity by hiding it behind a shell company in order to justify profits and avoid unnecessary attention from local tax authorities when cashing out considerable sums.

“CloudEyE operations may look legitimate, but the service that provides CloudEyE has been a common denominator in thousands of attacks over the past year”, — says the Check Point report.

Although experts claim that DarkEyE and CloudEyE have been quite extensively used in recent years, it seems that only one malicious campaign seems to be the main client of developers, and this is mentioned above the GuLoader ransomware.

I also remind you that recently, on hacker forums and on the black market, surged in price credentials of popular YouTube channels.

In his report, Check Point talks about connections between CloudEyE and GuLoader.

En primer lugar, the most obvious of them is the fact that the code of applications that passed through CloudEyE Protect contains patterns that are very similar to discovered by experts GuLoader samples.

Finally was reached the point, when CloudEyE Protect will detected any random application as GuLoader malware, although in fact it may be harmless and legitimate application.

CloudEyE collaborated with ransomware operators

En segundo lugar, Check Point analysts noticed that the CloudEyE interface contained a URL stub, which was often found in GuLoader samples.

CloudEyE collaborated with ransomware operators

Thirdly, many of the CloudEyE features seem to have been specifically designed for GuLoader operations.

“The tutorials published on CloudEyE demonstrate how to store payloads in the cloud, including Google Drive and OneDrive. Cloud storages usually perform antivirus scans and technically do not allow downloading of malicious programs. Sin embargo, payload encryption implemented in CloudEyE helps bypass this limitation”, — dicen los expertos.

Researchers say that such functionality does not make sense for a regular application, but for malware, the ability to avoid cloud scans can be very useful. This can be especially true for GuLoader, which is a “network bootloader” that infects the victim’s computer and then downloads the second-level payload from Google Drive or Microsoft OneDrive.

After the publication of the Check Point report, CloudEyE representatives made an official statement and refuted all the conclusions of the experts. The company claims that criminals without the notification of the developers.

CloudEyE collaborated with ransomware operators

Al mismo tiempo, the company’s work was stopped for an uncertain period.

Por Vladimir Krasnogolovy

Vladimir es un especialista técnico al que le encanta dar consejos y sugerencias cualificados sobre los productos de GridinSoft. Está disponible las 24 horas del día, los 7 días de la semana para ayudarte con cualquier pregunta relacionada con la seguridad en Internet.

Dejar un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *