Ondritols
Intelligence Profile
According to Symantec, this malware has been deployed against IT services companies in the U.S. and Europe. A multi-stage backdoor, the first stage is a downloader that authenticates to Microsoft Graph API and downloads the second stage payload from OneDrive and executes it. The main payload will download a publicly available file from GitHub. It will then create a folder in OneDrive named deviceId_n_<ip address> for each infected machine and upload a file to OneDrive to signal the attackers the status of a new infection.
Threat Analysis
Ondritols is a malware family tracked by threat intelligence researchers and catalogued in the Malpedia dataset. It represents a distinct malicious software lineage with identifiable code characteristics, behaviors, and victimology.