Recently, we wrote about the network dropper known as GuLoader, which has been very actively distributed in 2020 and is used to deliver malware with the help of cloud services such as Google Drive. The delivery of malware through cloud drives is one of the fastest growing trends of 2020.
We see hundreds of attacks involving GuLoader every day; up to 25% of all packed samples are GuLoaders. The dropper delivers a huge number of malware types, including different malicious campaigns apparently related to many different threat actors.
Figure 1 – Percentage of GuLoader samples and malware distributed by GuLoader.
The dropper is constantly updated: we see new versions with sandbox evasion techniques, code randomization features, C&C URL encryption, and additional payload encryption. As a result, we can reasonably assume that behind GuLoader there is a major new service aiming to replace traditional packers and crypters.
We did indeed manage to find this service, which is created and maintained by an Italian company that pretends to be completely legitimate and aboveboard, and even has a website in Clearnet that uses the .eu domain zone. But first things first.
While monitoring GuLoader, we repeatedly encountered samples that were detected as GuLoader, but they did not contain URLs for downloading the payload. During manual analysis of such samples, we found that the payload is embedded in the sample itself. Those samples appear to be related to DarkEyE Protector:
Figure 2 – DarkEyE sample.
The DarkEyE samples have a lot in common with the GuLoader samples. They both are written in VisualBasic, contain a shellcode encrypted with 4-bytes XOR key, and have the same payload decryption procedure:
Figure 3 – Comparison of GuLoader and DarkEyE samples.
We searched for “DarkEyE Protector” on the web and easily found a very old thread from 2014 in which it was advertised by a user known as “xor”:
Figure 4 – DarkEyE advertisement on a hacker forum.
We also found some earlier ads for DarkEyE on the same website, these posted by the user “sonykuccio.” The ads describe DarkEyE as a crypter that can be used with different malware such as stealers, keyloggers, and RATs (remote access Trojans), and makes them fully undetectable for antiviruses (FUD). This left us with no doubt that this software was developed to protect malware from discovery by anti-viruses, as the authors didn’t forget to emphasize that they “don’t take any responsibility for the use” of DarkEyE:
Figure 5 – DarkEyE advertisement on a hacker forum.
The user “sonykuccio” also posted contact emails for anyone interested in buying DarkEyE (remember this for later):
Figure 6 – Contact emails mentioned in DarkEyE ads.
Finally, we found the website securitycode.eu, whose URL is mentioned in one of the ads above.
Indeed, the website securitycode.eu is connected to DarkEyE. However, currently this website focuses on another product – CloudEyE:
Figure 7 – securiticode.eu website.
The company selling CloudEyE pretends to be legitimate. As said on their website, CloudEyE is security software intended for “Protecting windows applications from cracking, tampering, debugging, disassembling, dumping.”
But let’s look at the rest of the securitycode.eu website. It contains several YouTube video tutorials on how to use CloudEyE, and, as it turned out, how to abuse Google Drive and OneDrive:
Figure 8 – YouTube videos published on the securitycode.eu website.
Watching one of the videos on this website (https://youtu.be/TOdfOBmeAx8?t=74), we noticed the same URL patterns as we have seen earlier in GuLoader:
Figure 9 – The same URL pattern in the CloudEyE YouTube video and GuLoader samples.
This is a placeholder for a URL that is used in some of GuLoader samples for downloading joined files (decoy images in our previous research). Way too much coincidence for us to find it here!
We decided to obtain CloudEyE to see for ourselves if it is related to GuLoader.
To test CloueEyE Protector, we decided to encrypt the calc.exe application:
Figure 10 – CloudEyE builder: choosing a file to protect.
The XOR encryption key (password) is generated automatically and can’t be entered manually.
After clicking “Next”, we got the encrypted file. Then we placed it on a local HTTP server and put the URL in the next window:
Figure 11 – CloudEyE builder: choosing a URL where the protected file will be downloaded from.
After clicking “Next”, we see the window with the known URL template
Figure 12 – CloudEyE builder: protection options.
We assumed that most customers don’t use additional options, so we decided to leave everything else as the default value.
CloudEyE also allows you to set up autorun, select an icon, change the file size and choose the extension:
Figure 13 – CloudEyE builder: additional options.
Finally, we got the build.
At the next step, we submitted the build to our sandbox and, unsurprisingly, we got the expected verdict:
Figure 14 – Emulation results of the CloudEyE-produced sample.
However, to be completely sure that CloudEyE produces samples that are universally acknowledged as GuLoader malware, we decided to analyze it manually and compare with a real GuLoader sample that we saw in the wild.
GuLoader was slightly upgraded a few weeks ago. Therefore, we chose one of the recent samples which downloads the Formbook malware:
|Encrypted Payload MD5:||95f29abac9c887639efc2d4e22b5350f|
|Decrypted Payload MD5:||3b72bf861b5d2907bb2d76d3d4d9d816|
Figure 15 – Researched GuLoader sample details.
The CloudEyE-produced sample that we got has the same structure as GuLoader. Just like GuLoader, it is compiled with Visual Basic and contains shellcode encrypted with a random 4-bytes XOR key. Therefore, we decrypted the shellcode from both samples (CloudEyE and GuLoader).
To make it harder for automatic analysis and probably also to prevent automatic decryption, the shellcode starts from a random stub and is prepended with a jump over this stub. In both samples, the same space on the stack is reserved for a structure with global variables.
Figure 16 – Comparison of CloudEyE and GuLoader samples: shellcode randomization.
Variables in the structure have the same offset. Most of the code chunks differ only due to the applied randomization techniques. The useful code is the same in both samples.
Figure 17 – Comparison of CloudEyE and GuLoader samples: URL decryption.
The URLs for downloading the payload and the “joined file” (i.e. the decoy image) in the new version of GuLoader are stored encrypted. GuLoader decrypts the URLs using the same key as used for decrypting the payload. After extracting the XOR keys, we can easily find and decrypt URLs in both samples.
Figure 18 – Comparison of CloudEyE and GuLoader encrypted URLs.
We can therefore conclude that the samples are almost identical and differ only generally due to applied code randomization techniques.
Let’s refer to the contact emails posted by the user “sonykuccio” in the DarkEyE ads:
We looked for the emails and usernames in publically available leaked email databases and managed to find several entries related to “sonykuccio”:
Figure 19 – Emails and usernames found in publically available databases.
Also, we surprisingly found a PDF containing a lot of real names and emails of Italian citizens, including the email “[email protected]” and the corresponding name “Sebastiano Dragna”:
Figure 20 – A PDF with emails of Italian citizens.
Therefore, “sonykyccio”, “xsebyx”, “Sebyno”, “[email protected]”, “[email protected]”, “[email protected]” are avatars and emails of the same person: Dragna Sebastiano Fabio.
Unfortunately, we didn’t manage to find any relation between another name published on the website (Ivano Mancini) and names used on popular hacker forums.
Figure 22 – Identities behind CloudEyE.
Sonykuccio is an old and established visitor to hacker forums. We saw that he started selling DarkEyE in the beginning of 2011. But even before creating DarkEyE protector, Sonykuccio was already providing services for protecting malware against anti-viruses (FUD service) and a spreading service for malware:
Figure 23 – Malicious services advertised by sonykuccio.
As we said, we see hundreds of attacks every day in different campaigns. Some of the CloudEyE users have been cynically using the name “Coronavirus” as a way to deceive and mislead victims, using the fear and desire for information about the pandemic to infect people with malware.
Figure 24 – CloudEyE and Coronavirus email subjects.
The securitycode.eu website claims that their customer base numbers over 5,000. As they sell their basic package for $ 100 per month, this allows us to estimate their monthly income at $ 500,000.
Figure 25 – CloudEyE pricing.
CloudEyE operations may look legal, but the service provided by CloudEyE has been a common denominator in thousands of attacks over the past year. Tutorials published on the CloudEyE website show how to store payloads on cloud drives such as Google Drive and OneDrive. Cloud drives usually perform anti-virus checking and technically don’t allow the upload of malware. However, payload encryption implemented in CloudEyE helps to bypass this limitation. Code randomization, evasion techniques, and payload encryption used in CloudEyE protect malware from being detected by many of the existing security products on the market. Surprisingly, such a service is provided by a legally registered Italian company that operates a publically available website which has existed for more than four years.
Many of CloudEyE customers are threat actors with no deep technical knowledge, they are using publically available malware or leaked hacking tools for stealing passwords, credentials, private information, and gaining control of the victim’s environment.
|Researched GuLoader sample||3d1fd9bcef7cbe915bb49857461ad781|
|Encrypted GuLoader payload (Formbook)||95f29abac9c887639efc2d4e22b5350f|
|Formbook sample dropped by GuLoader||3b72bf861b5d2907bb2d76d3d4d9d816|
Check Point Threat Emulation provides protection against this threat: