🎯 Spear targeted malware looking for French crypto devs [1/2]
Even if you're French, you're probably unfamiliar with ONDE, the reporting system operated by AMF (equivalent to the US SEC). But a small number of individuals involved in crypto received emails just like this one, asking them to register a new key with the system before the end of year .
The "key" is actually a Javascript file that will :
👉 verify the C: disk is larger than 60 gb
👉 look for various VM artifacts like drivers
👉 compare current username to a list of known sandboxes
👉 verify there are more than two files in the "recent" folder
If those checks are successfull, a new script is downloaded and will build a Windows binary from different chunks hosted on Github.
The final payload is a simple, but effective RAT written in Go, installed by a modified pyinstaller[.]exe binary.
#dns #threatintel #malware #RAT #cybersécurité #cybercrime #cybersecurity #ONDE #AMF #crypto #threatintelligence #infoblox #infobloxthreatintel