Cyber Criminals Exploit Legitimate Software

Uploaded on 2023-10-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

In an alarming trendseemingly legitimate software has become the preferred choice of cyber criminals. Notable examples are the Remcos Remote Access Trojan (RAT) and GuLoader, both advertised as legitimate tools but heavily used in cyber attacks, consistently ranking among the most prevalent malware.

Although claim lawful usage, research from Check Point Software have found a strong connection between these tools and cybercrime.

While Remcos struggles to evade antivirus detection, GuLoader acts as its ally, helping it bypass protection measures. that GuLoader is rebranded and sold as a crypter, ensuring Remcos’ payload remains fully undetectable by antiviruses.

Check Point has found compelling evidence that this individual not only employs malware like Amadey and Formbook, but also uses GuLoader to shield against antivirus detection. Domain names and IP addresses associated with the Remcos and GuLoader seller appear in malware analyst reports.

Guloader & Remcos Are Among The Pack Leaders 

Check Point havepreviously reported that RAT Remcos rose four places due to trojanised installers. Remcos now sits at third place after threat actors created fake websites last month to spread malicious downloaders carrying the RAT. 

First detected in 2016, Remcos is a RAT that is regularly distributed through seemingly authentic Microsoft documents or downloaders that are actually malicious.

It has been most recently observed in a campaign involving the Fruity malware downloader. The objective was to lure victims to download the Fruity downloader, which installed different RATs such as Remcos (known for its ability to gain remote access to the victim system) to steal sensitive information and credentials and conduct malicious activity on the user’s computer.

Finance & Education Sectors Are The Key Targets

According to intelligence from Check Point's ThreatCloud AI threat detection tool: 

  • GuLoader:   In the Finance/Banking sector, an average of 2.4% of organisations globally were affected monthly (equivalent to 1 out of 41 organizations)
  • GuLoader:   most substantial impact in the EMEA region, with a monthly average impact of 4.7% (equivalent to 1 out of 21 organizations)
  • Remcos:   In the Education/Research sector, an average of 2.8% of organisations globally were affected monthly (equivalent to 1 out of 35 organizations)
  • Remcos:   greatest impact in the APAC region, with a monthly average of 2% (1 out of 50 organizations)

Software Distributor Are Part Of The Process

Check Point’s investigation leads to a clear conclusion: the seller/s of Remcos and GuLoader are well aware of their software being embraced by cyber criminals, despite their disingenuous claims. CPR aims to expose the criminal responsible for selling these tools, revealing their social networks and uncovering the significant illicit income generated through these activities.

This study underscores the serious threat posed by dual-use software and highlights the need for heightened vigilance against such deceptive practices in the cybersecurity landscape.

In 2020, an Italian company was detected selling the CloudEyE product through the website securitycode.eu and revealed its direct affiliation with GuLoader. The findings forced the creators of CloudEyE to temporarily suspend their operations. On their website, they posted a message saying that their service is designed to protect intellectual property, not to spread malware.

After a few months, their website resumed the sale of CloudEyE. Soon afterwards, Check Point observed an increase in the number of new GuLoader attacks in our telemetry, as well as the appearance of new versions. 

In a previous article CheckPoint purposefully omitted any connection between CloudEyE and the new version of GuLoader because we observed the distribution of GuLoader under an alternative name “The Protector” on the website named “VgoStore.”  VgoStore, as it turns out, is closely related to Remcos.

In addition to its typical remote administration tool features, Remcos includes uncommon functionalities such as man-in-the-middle (MITM) capabilities, password stealing, tracking browser history, stealing cookies, keylogging, and webcam control. These features go beyond the typical scope of a RAT and suggest a more intrusive and malicious intent.

Read the full research Here;                               Image: Markus Spiske

You Might Also Read:

Banks Hacked With Open-Source Software:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« The Battlefield Transformed
AI-Powered Cyber Security Software For SMEs & Consumers »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Appdome

Appdome

Appdome is the industry's first mobile integration as a service company, providing solutions for enterprise mobility and mobile application security.

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) - Afghanistan

Information System Security Directorate (ISSD) is the Directorate of MCIT responsible for the security of critical information infrastructures in Afghanistan.

Cortado Mobile Solutions

Cortado Mobile Solutions

Cortado Mobile Solutions creates enterprise mobility and file sharing solutions for companies, teams and freelancers.

IoT Security Institute (IoTSI)

IoT Security Institute (IoTSI)

IoT Security Institute is an academic and industry body dedicated to providing frameworks and supporting educational services to assist in managing security within an Internet of Things eco-system.

Encore Media Group

Encore Media Group

Encore Media Group provide an international enterprise technology event series exploring IoT, Blockchain AI, Big Data, 5G, Cyber Security and Cloud.

WidePoint

WidePoint

WidePoint Corporation is an innovative provider of Trusted Mobility Management (TM2) solutions.

Onevinn

Onevinn

Onevinn's goal is to create a transparent, cost-effective security that is noticed as little as possible by the users. We simply call it "intelligent security."

Virtue Security

Virtue Security

Virtue Security are specialists in web application penetration testing.

DH2i Company

DH2i Company

DH2i is a leading provider of multi-platform Software Defined Perimeter and Smart Availability software enabling customers to create an entire IT infrastructure that is always-secure and always-on.

ACI Learning

ACI Learning

ACI Learning - Training tomorrow’s industry leaders with formats for all types of learners in Audit, Cybersecurity, and IT.

Varutra Consulting

Varutra Consulting

Varutra Consulting is an Cyber Security Consulting, Solutions and Training services firm, providing specialized security services for software, mobile and network.

DESCERT

DESCERT

DESCERT offers you an extended IT, cyber security, risk advisory & compliance audit team which provides strategic guidance, engineering and audit services.

Sev1Tech

Sev1Tech

Sev1Tech is a leading provider of IT modernization, cloud, cybersecurity, engineering, fielding, training, and program support services.

Dapple Security

Dapple Security

Dapple Security is creating cutting edge technology utilizing responsible biometrics that protects people and privacy through a first-of-its-kind passwordless platform.

Insane Cyber

Insane Cyber

Insane Cyber make cybersecurity easier to manage through automated, easy-to-use software and expert support and partnership.

CyTwist

CyTwist

CyTwist is an early warning attack detection platform that complement your existing security suite and provides your security teams with unique detection capabilities of stealth targeted attacks.