GuLoader? No, CloudEyE.

June 8, 2020

Italian company exposed on Clearnet earned up to $ 500,000 helping cybercriminals to deliver malware using cloud drives.

Recently, we wrote about the network dropper known as GuLoader, which has been very actively distributed in 2020 and is used to deliver malware with the help of cloud services such as Google Drive. The delivery of malware through cloud drives is one of the fastest growing trends of 2020.

We see hundreds of attacks involving GuLoader every day; up to 25% of all packed samples are GuLoaders. The dropper delivers a huge number of malware types, including different malicious campaigns apparently related to many different threat actors.

Percentage of GuLoader samples and malware distributed by GuLoader

Figure 1 – Percentage of GuLoader samples and malware distributed by GuLoader.

The dropper is constantly updated: we see new versions with sandbox evasion techniques, code randomization features, C&C URL encryption, and additional payload encryption. As a result, we can reasonably assume that behind GuLoader there is a major new service aiming to replace traditional packers and crypters.

We did indeed manage to find this service, which is created and maintained by an Italian company that pretends to be completely legitimate and aboveboard, and even has a website in Clearnet that uses the .eu domain zone. But first things first.

DarkEyE

While monitoring GuLoader, we repeatedly encountered samples that were detected as GuLoader, but they did not contain URLs for downloading the payload. During manual analysis of such samples, we found that the payload is embedded in the sample itself. Those samples appear to be related to DarkEyE Protector:

DarkEyE sample

Figure 2 – DarkEyE sample.

The DarkEyE samples have a lot in common with the GuLoader samples. They both are written in VisualBasic, contain a shellcode encrypted with 4-bytes XOR key, and have the same payload decryption procedure:

Comparison of GuLoader and DarkEyE samples

Figure 3 – Comparison of GuLoader and DarkEyE samples.

We searched for “DarkEyE Protector” on the web and easily found a very old thread from 2014 in which it was advertised by a user known as “xor”:

DarkEyE advertisement on a hacker forum

Figure 4 – DarkEyE advertisement on a hacker forum.

We also found some earlier ads for DarkEyE on the same website, these posted by the user “sonykuccio.” The ads describe DarkEyE as a crypter that can be used with different malware such as stealers, keyloggers, and RATs (remote access Trojans), and makes them fully undetectable for antiviruses (FUD). This left us with no doubt that this software was developed to protect malware from discovery by anti-viruses, as the authors didn’t forget to emphasize that they “don’t take any responsibility for the use” of DarkEyE:

DarkEyE advertisement on a hacker forum

Figure 5 – DarkEyE advertisement on a hacker forum.

The user “sonykuccio” also posted contact emails for anyone interested in buying DarkEyE (remember this for later):

Contact emails mentioned in DarkEyE ads

Figure 6 – Contact emails mentioned in DarkEyE ads.

Finally, we found the website securitycode.eu, whose URL is mentioned in one of the ads above.

DarkEyE evolved into CloudEyE

Indeed, the website securitycode.eu is connected to DarkEyE. However, currently this website focuses on another product – CloudEyE:

securiticode.eu website

Figure 7 – securiticode.eu website.

The company selling CloudEyE pretends to be legitimate. As said on their website, CloudEyE is security software intended for “Protecting windows applications from cracking, tampering, debugging, disassembling, dumping.

But let’s look at the rest of the securitycode.eu website. It contains several YouTube video tutorials on how to use CloudEyE, and, as it turned out, how to abuse Google Drive and OneDrive:

YouTube videos published on the securitycode.eu website

Figure 8 – YouTube videos published on the securitycode.eu website.

Watching one of the videos on this website (https://youtu.be/TOdfOBmeAx8?t=74), we noticed the same URL patterns as we have seen earlier in GuLoader:

The same URL pattern in the CloudEyE YouTube video and GuLoader samples

Figure 9 – The same URL pattern in the CloudEyE YouTube video and GuLoader samples.

This is a placeholder for a URL that is used in some of GuLoader samples for downloading joined files (decoy images in our previous research). Way too much coincidence for us to find it here!

We decided to obtain CloudEyE to see for ourselves if it is related to GuLoader.

CloudEyE

To test CloueEyE Protector, we decided to encrypt the calc.exe application:

CloudEyE builder: choosing a file to protect

Figure 10 – CloudEyE builder: choosing a file to protect.

The XOR encryption key (password) is generated automatically and can’t be entered manually.

After clicking “Next”, we got the encrypted file. Then we placed it on a local HTTP server and put the URL in the next window:

CloudEyE builder: choosing a URL where the protected file will be downloaded from

Figure 11 – CloudEyE builder: choosing a URL where the protected file will be downloaded from.

After clicking “Next”, we see the window with the known URL template https://myurl/myfile.bin:

CloudEyE builder: protection options

Figure 12 – CloudEyE builder: protection options.

We assumed that most customers don’t use additional options, so we decided to leave everything else as the default value.

CloudEyE also allows you to set up autorun, select an icon, change the file size and choose the extension:

CloudEyE builder: additional options

Figure 13 – CloudEyE builder: additional options.

Finally, we got the build.

At the next step, we submitted the build to our sandbox and, unsurprisingly, we got the expected verdict:

Emulation results of the CloudEyE-produced sample
Emulation results of the CloudEyE-produced sample

Figure 14 – Emulation results of the CloudEyE-produced sample.

However, to be completely sure that CloudEyE produces samples that are universally acknowledged as GuLoader malware, we decided to analyze it manually and compare with a real GuLoader sample that we saw in the wild.

GuLoader was slightly upgraded a few weeks ago. Therefore, we chose one of the recent samples which downloads the Formbook malware:

GuLoader MD5: 3d1fd9bcef7cbe915bb49857461ad781
Payload URL: hxxps://drive.google.com/uc?export=download&id=1cs40Db_dgZugASem90KebWJ2mVl6LmjR
Encrypted Payload MD5: 95f29abac9c887639efc2d4e22b5350f
Decrypted Payload MD5: 3b72bf861b5d2907bb2d76d3d4d9d816
Researched GuLoader sample details

Figure 15 – Researched GuLoader sample details.

The CloudEyE-produced sample that we got has the same structure as GuLoader. Just like GuLoader, it is compiled with Visual Basic and contains shellcode encrypted with a random 4-bytes XOR key. Therefore, we decrypted the shellcode from both samples (CloudEyE and GuLoader).

To make it harder for automatic analysis and probably also to prevent automatic decryption, the shellcode starts from a random stub and is prepended with a jump over this stub. In both samples, the same space on the stack is reserved for a structure with global variables.

Comparison of CloudEyE and GuLoader samples: shellcode randomization

Figure 16 – Comparison of CloudEyE and GuLoader samples: shellcode randomization.

Variables in the structure have the same offset. Most of the code chunks differ only due to the applied randomization techniques. The useful code is the same in both samples.

Comparison of CloudEyE and GuLoader samples: URL decryption

Figure 17 – Comparison of CloudEyE and GuLoader samples: URL decryption.

The URLs for downloading the payload and the “joined file” (i.e. the decoy image) in the new version of GuLoader are stored encrypted. GuLoader decrypts the URLs using the same key as used for decrypting the payload. After extracting the XOR keys, we can easily find and decrypt URLs in both samples.

Comparison of CloudEyE and GuLoader encrypted URLs

Figure 18 – Comparison of CloudEyE and GuLoader encrypted URLs.

We can therefore conclude that the samples are almost identical and differ only generally due to applied code randomization techniques.

Identities behind CloudEyE

Let’s refer to the contact emails posted by the user “sonykuccio” in the DarkEyE ads:

We looked for the emails and usernames in publically available leaked email databases and managed to find several entries related to “sonykuccio”:

Emails and usernames found in publically available databases

Figure 19 – Emails and usernames found in publically available databases.

Also, we surprisingly found a PDF containing a lot of real names and emails of Italian citizens, including the email “[email protected]” and the corresponding name “Sebastiano Dragna”:

A PDF with emails of Italian citizens

Figure 20 – A PDF with emails of Italian citizens.

Let’s now refer to the Privacy Policy section on the website securitycode.eu. We see the same name! The owners of this business must sincerely believe in their own innocence if they dare to publish real names on the website:

securitycode.eu privacy policy

Figure 21 – securitycode.eu privacy policy.

Therefore, “sonykyccio”, “xsebyx”, “Sebyno”, “[email protected]”, “[email protected]”, “[email protected]” are avatars and emails of the same person: Dragna Sebastiano Fabio.

Unfortunately, we didn’t manage to find any relation between another name published on the website (Ivano Mancini) and names used on popular hacker forums.

Identities behind CloudEyE

Figure 22 – Identities behind CloudEyE.

Sonykuccio is an old and established visitor to hacker forums. We saw that he started selling DarkEyE in the beginning of 2011. But even before creating DarkEyE protector, Sonykuccio was already providing services for protecting malware against anti-viruses (FUD service) and a spreading service for malware:

Malicious services advertised by sonykuccio

Figure 23 – Malicious services advertised by sonykuccio.

CloudEyE and Covid-19

As we said, we see hundreds of attacks every day in different campaigns. Some of the CloudEyE users have been cynically using the name “Coronavirus” as a way to deceive and mislead victims, using the fear and desire for information about the pandemic to infect people with malware.

CloudEyE and Coronavirus email subjects

Figure 24 – CloudEyE and Coronavirus email subjects.

Revenue

The securitycode.eu website claims that their customer base numbers over 5,000. As they sell their basic package for $ 100 per month, this allows us to estimate their monthly income at $ 500,000.

CloudEyE pricing

Figure 25 – CloudEyE pricing.

Conclusion

CloudEyE operations may look legal, but the service provided by CloudEyE has been a common denominator in thousands of attacks over the past year. Tutorials published on the CloudEyE website show how to store payloads on cloud drives such as Google Drive and OneDrive. Cloud drives usually perform anti-virus checking and technically don’t allow the upload of malware. However, payload encryption implemented in CloudEyE helps to bypass this limitation. Code randomization, evasion techniques, and payload encryption used in CloudEyE protect malware from being detected by many of the existing security products on the market. Surprisingly, such a service is provided by a legally registered Italian company that operates a publically available website which has existed for more than four years.

Many of CloudEyE customers are threat actors with no deep technical knowledge, they are using publically available malware or leaked hacking tools for stealing passwords, credentials, private information, and gaining control of the victim’s environment.

Appendix: Hashes of samples

Description MD5
Researched GuLoader sample 3d1fd9bcef7cbe915bb49857461ad781
Encrypted GuLoader payload (Formbook) 95f29abac9c887639efc2d4e22b5350f
Formbook sample dropped by GuLoader 3b72bf861b5d2907bb2d76d3d4d9d816
GuLoader Shellcode 0284062f9a7415e413ed319c13dc0988
CloudEyE Shellcode 5c4ed372836487562aa22ab9cd2798d9

Check Point Threat Emulation provides protection against this threat:

  • Dropper.Win.CloudEyE.A
  • Dropper.Wins.CloudEyE.B
  • Dropper.Win.CloudEyE.I
  • Dropper.Win.CloudEyE.gl.J
  • Dropper.Win.CloudEyE.gl.L