Cyber Criminals Exploit Legitimate Software

Uploaded on 2023-10-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

In an alarming trendseemingly legitimate software has become the preferred choice of cyber criminals. Notable examples are the Remcos Remote Access Trojan (RAT) and GuLoader, both advertised as legitimate tools but heavily used in cyber attacks, consistently ranking among the most prevalent malware.

Although claim lawful usage, research from Check Point Software have found a strong connection between these tools and cybercrime.

While Remcos struggles to evade antivirus detection, GuLoader acts as its ally, helping it bypass protection measures. that GuLoader is rebranded and sold as a crypter, ensuring Remcos’ payload remains fully undetectable by antiviruses.

Check Point has found compelling evidence that this individual not only employs malware like Amadey and Formbook, but also uses GuLoader to shield against antivirus detection. Domain names and IP addresses associated with the Remcos and GuLoader seller appear in malware analyst reports.

Guloader & Remcos Are Among The Pack Leaders 

Check Point havepreviously reported that RAT Remcos rose four places due to trojanised installers. Remcos now sits at third place after threat actors created fake websites last month to spread malicious downloaders carrying the RAT. 

First detected in 2016, Remcos is a RAT that is regularly distributed through seemingly authentic Microsoft documents or downloaders that are actually malicious.

It has been most recently observed in a campaign involving the Fruity malware downloader. The objective was to lure victims to download the Fruity downloader, which installed different RATs such as Remcos (known for its ability to gain remote access to the victim system) to steal sensitive information and credentials and conduct malicious activity on the user’s computer.

Finance & Education Sectors Are The Key Targets

According to intelligence from Check Point's ThreatCloud AI threat detection tool: 

  • GuLoader:   In the Finance/Banking sector, an average of 2.4% of organisations globally were affected monthly (equivalent to 1 out of 41 organizations)
  • GuLoader:   most substantial impact in the EMEA region, with a monthly average impact of 4.7% (equivalent to 1 out of 21 organizations)
  • Remcos:   In the Education/Research sector, an average of 2.8% of organisations globally were affected monthly (equivalent to 1 out of 35 organizations)
  • Remcos:   greatest impact in the APAC region, with a monthly average of 2% (1 out of 50 organizations)

Software Distributor Are Part Of The Process

Check Point’s investigation leads to a clear conclusion: the seller/s of Remcos and GuLoader are well aware of their software being embraced by cyber criminals, despite their disingenuous claims. CPR aims to expose the criminal responsible for selling these tools, revealing their social networks and uncovering the significant illicit income generated through these activities.

This study underscores the serious threat posed by dual-use software and highlights the need for heightened vigilance against such deceptive practices in the cybersecurity landscape.

In 2020, an Italian company was detected selling the CloudEyE product through the website securitycode.eu and revealed its direct affiliation with GuLoader. The findings forced the creators of CloudEyE to temporarily suspend their operations. On their website, they posted a message saying that their service is designed to protect intellectual property, not to spread malware.

After a few months, their website resumed the sale of CloudEyE. Soon afterwards, Check Point observed an increase in the number of new GuLoader attacks in our telemetry, as well as the appearance of new versions. 

In a previous article CheckPoint purposefully omitted any connection between CloudEyE and the new version of GuLoader because we observed the distribution of GuLoader under an alternative name “The Protector” on the website named “VgoStore.”  VgoStore, as it turns out, is closely related to Remcos.

In addition to its typical remote administration tool features, Remcos includes uncommon functionalities such as man-in-the-middle (MITM) capabilities, password stealing, tracking browser history, stealing cookies, keylogging, and webcam control. These features go beyond the typical scope of a RAT and suggest a more intrusive and malicious intent.

Read the full research Here;                               Image: Markus Spiske

You Might Also Read:

Banks Hacked With Open-Source Software:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Battlefield Transformed
AI-Powered Cyber Security Software For SMEs & Consumers »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

SSLGURU

SSLGURU

SSLGURU bring all of the major SSL certificate vendors to one market place in order to create the world's largest SSL store with the most competitive prices.

SERMA Safety & Security (S3)

SERMA Safety & Security (S3)

SERMA Safety & Security provides a comprehensive cybersecurity offering incorporating Expertise, Evaluation, Consultancy and Training, covering hardware, software and information systems.

Simula Research Laboratory

Simula Research Laboratory

Simula Research Laboratory carries out research in the fields of communication systems, scientific computing and software engineering.

ENVEIL

ENVEIL

ENVEIL’s technology is the first scalable commercial solution to cryptographically secure Data in Use.

ID Quantique (IDQ)

ID Quantique (IDQ)

ID Quantique is a world leader in quantum-safe crypto solutions, designed to protect data for the long-term future.

Network Box

Network Box

Network Box is one of the world's leading Managed Security Service Providers.

DANAK

DANAK

DANAK is the national accreditation body for Denmark. The directory of members provides details of organisations offering certification services for ISO 27001.

Highland Capital Partners

Highland Capital Partners

Highland Capital Partners is an early stage venture capital firm focused on category-defining businesses in consumer and enterprise technology, including cybersecurity.

Apptega

Apptega

Apptega is an award-Winning Cybersecurity and Compliance Platform. Our mission is to make cybersecurity and compliance easy for everyone.

RNTrust

RNTrust

RNTrust provide solutions to meet today’s digital challenges utilizing digital technologies and services to make you more secured in digitally connected environment.

Information Services Group (ISG)

Information Services Group (ISG)

As a leading global research and advisory firm, ISG partners with our clients to determine a future vision, lead rapid change and realize the value of your digital investments at scale.

Appalachia Technologies

Appalachia Technologies

Appalachia is a full service Managed Services Provider with a focus on cybersecurity, backed by the best engineers.

SecurityStudio

SecurityStudio

SecurityStudio is a continuous cybersecurity risk management platform that allows decision-makers to quickly identify the most immediate threats and make confident risk informed decisions.

Prompt Security

Prompt Security

Prompt Security provides an LLM agnostic approach to ensure security, data privacy and safety across all aspects of Generative AI.

Eclypses

Eclypses

Eclypses has a disrupting cyber technology, offering organizations an advanced data security solution called MicroToken Exchange (MTE).

SOC-E

SOC-E

SOC-E is a leading technology provider for high-availability and deterministic networking, sub-microsecond synchronization and cybersecurity solutions for critical sectors.