“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
Check Point researchers have been analyzing the GuLoader remote access trojan (RAT) since early 2020. As the researchers looked closer and closer, they found various references, within the GuLoader code, to CloudEyE Protector. CloudEyE Protector is an anti reverse-engineering software service provided by an Italian company named CloudEyE.
From the company’s website, CloudEyE serves as security software designed to “[protect] windows applications from cracking, tampering, debugging, disassembling, dumping.” Check Point found links between CloudEyE to a binary protection service marketed on an EU domain, security code[.]eu, and to a hacking forum promoting a malware crypting service named DarkEyE. The service had been proffered on these forums as early as 2014.
The researchers also tied usernames and email addresses that pushed the DarkEyE service to one of CloudEyE’s founders. In their report, Check Point lists multiple links between GuLoader, DarkEyE and CloudEyE. They concluded that CloudEyE was used as a front or possible path to legitimize their nefarious work. It was also determined that the company may have been able to build monthly revenue of $500K USD for their work.
In a different report published by CitizenLab journalists in early June, a hack-for-hire group named Dark Basin was outed for its illegitimate activities spanning 7 years that affected thousands of people and organizations across the globe. The highly detailed and thorough work of the CitizenLab journalists laid out several connections between the Dark Basin operations and an India-based technology company named BellTroX InfoTech Services. The Google Threat Analysis Group researchers indicate they registered an increase in activity from several India-based companies pushing coronavirus-themed phishing emails.
In conclusion, these two stories underscore that private, legitimate-looking companies are likely to remain within the threat landscape; it is imperative that security professionals keep their eyes open to the range of bad actors, regardless of the form they may take.