Skip to main content

Cybercriminals using commercial 'crypter' to smuggle malware into cloud storage

(Image credit: Image Credit: TZIDO SUN / Shutterstock)

A known cybercriminal group has altered its tactics to target cloud storage services and better avoid detection, according to research from security firm Sophos.

Known as RATicate, the cybercriminal syndicate has ditched custom NSIS installers for an installation builder called CloudEyE, which it used to build Guloader - a new Visual Basic 6-based installer.

According to Sophos, CloudEyE (which evolved from Dragna and Mancini), allows for a two-stage installer build, with the second stage pulling the final malware payload down from a remote URL.

This allows RATicate to deliver malicious payloads to cloud storage services such as Dropbox or Google Drive, while successfully evading detection.

Further investigation also found that RATicate is using a malware-as-a-service (MaaS) model, lending its infrastructure and installers to paying third parties.

“We can see there was no synchronisation between the different campaigns, and that each of the different malware families used specific URLs in the C&C infrastructure that include a directory name that could be associated with each specific third-party actor, or with a specific campaign,” explained Sophos researchers in a blog post.

A full list of indicators of compromise for CloudEyE-based RATicate malware distributions can be found on SophosLabs’ GitHub page here.