The campaign is using Go packages just as a mechanism to download a ransomware for Linux systems, and it specifically checks if the Documents/ directory exists for the current user. If it doesn't exist it does nothing.
That's probably why the malware sandboxes are not detecting the outbound connections and the encrypting activity.
3 comments
[ 1.7 ms ] story [ 21.9 ms ] threadThat's probably why the malware sandboxes are not detecting the outbound connections and the encrypting activity.