CloudEyE – DarkEyE Evolved
Researchers at Check Point Research have analyzed CloudEyE, an evolved version of DarkEyE. Which allows threat actors to use different types of malware of their choice and make it undetectable to anti-virus solutions. This program is being sold by legitimate Italian company which markets it as a tool for developers that want to protect their program from piracy and reverse engineering. The tutorials published and forum posts that the owners have made for DarkEyE and CloudEyE prove that the objective of the program is to aid malicious activities, hence why the authors “don’t take any responsibility for the use”.
Check Point Research was able to zero down on one of the authors, tracing back email and user IDs from posts marketing the CloudEyE. Two owners Dragna Sebastiano Fabio and Ivano Mancini have been attributed to DarkEyE/ CloudEyE, the former Dragna being more notorious on forums and such with the selling of DarkEyE since 2011. Even some email handle belonging to him have been subject to public leaks. Even malicious actors have bad operational security and reuse passwords sometimes.
With their claim of 5,000 customers and pricing of $100 per month they have allegedly built a revenue stream of $0.5 Million per month. The motive is clear for the authors, money, and low liability. They have setup some legitimacy as an Italian company and profiting off activities of other malicious actors. Check Point’s research entails that the actors which use CloudEyE are not sophisticated and use the recent Pandemic related email subjects to lure victims. Since any type of malware can be used, and CloudEyE can be part of any malware campaign.
Prevention goes along with the type of malware campaign being run. Good operational security will still prevent most of these attacks from being successful. This includes not clicking on links or downloading files from emails that were unsolicited. Checkpoint was able to detect the use of CloudEyE wrapping techniques because of matching shellcode signatures, its why DarkEyE and CloudEyE are both detected as GuLoader. It is also detectable by many security products already. Responses to a detection of CloudEyE means you should also be looking for other malware or malicious programs that it dropped, which should be custom tailored. Forensics and analysis on the system should be the initial approach.
Sources: