For the past four years, an Italian company has been operating a seemingly legitimate website and business, offering protection services against the reverse engineer for Windows applications, but has been advertising and secretly providing its service to malware gangs.
The company's secret operation came to light when security researchers from Check Point began searching for GuLoader [1, 2, 3], a new malware executive who became one of the most active malware businesses of 2020.
Η Check Point reports that it has found references in the GuLoader code to CloudEyE Protector, an anti-reverse engineering software service provided by an Italian company called CloudEyE.
However, while source code protection services are legal and widely used by almost all commercial / legal applications, Check Point said it has connected this company and its owners with activities in hacking forums dating back years.
Check Point linked the CloudEyE binary protection service advertised on securitycode.eu advertisements promoting a malware encryption service called DarkEyE, which has been heavily advertised in hacking forums since 2014.
In addition, Check Point also linked three usernames and emails used to promote DarkEyE with the real identity of one of the founders of CloudEyE, as shown on the CloudEyE website.
In addition, Check Point states that it has located these three email addresses and usernames in many hacking forums.
The posts advertised malware / binary encryption services even before DarkEyE and were launched as early as 2011, showing how well-established and well-connected this user was in the crime community in cyberspace and malware.
These connections obviously helped the group start its legitimate business. Check Point reports that CloudEyE boasts more than 5.000 customers on its website.
Based on the minimum interest rate of $ 100 / month, Check Point states that the team earned at least $ 500.000 from their service. However, the amount could be much higher if we take into account that some monthly programs can reach $ 750 / month and some customers probably used the service for many months.
All indications are that the two CloudEyE pilots attempted to legitimize their crime. mode hiding it behind a front company as a way to justify their profits and avoid the suspicion of local tax authorities when redeeming huge profits their.
"CloudEyE features may seem legitimate, but the service provided by CloudEyE has been a common denominator in thousands of attacks over the past year," said Check Point.