Yesterday, I pushed the publish button on some additional research I assisted Markel Picado with on RATicate, an actor that had been sending tailored malicious emails to victims loaded with malware installers. They appear to be a Malware as a Service operation.
The interesting thing is that they appear to have been using the same commercial crypting/packing tool as the actors behind GuLoader malware tracked by CheckPoint–this thing called CloudEyE Protector, the successor to DarkEyE Protector. The operators of that crypter-as-a-service shut it all down when people came asking about their malware distribution, and swore they would ban the bad actors.
Welp, they’re back in business, and they’re following some very rigorous (lol) vetting of customers. Sebastiano and Ivano pinky promise to very closely monitor usage and look out for shenanigans. The problem with grey tools like this–which have a legitimate use as an obfuscator and license protection scheme–are always going to have abusers. The only way to tell the bad from the good is behavior-based detection.
Ironically, one of the features they instituted to lock down their tools was a “hardware ID grabber” app they built with their own tool. And Windows Defender (and 16 others, including Sophos) detect it as malware.