Cybercriminals Deploy FOG Ransomware Disguised as DOGE via Malicious Emails

A new variant of the FOG ransomware has been identified, with attackers exploiting the name of the Department of Government Efficiency (DOGE) to mislead victims.

This operation, which came to light through the analysis of nine malware samples uploaded to VirusTotal between March 27 and April 2, demonstrates a cunning approach to ransomware distribution.

Infiltration Tactics and Initial Compromise

The FOG ransomware campaign begins with a seemingly innocuous email distributing a ZIP file named “Pay Adjustment.zip.”

Within this archive lies an LNK file, which is cleverly disguised as a PDF document, misleading users into thinking they are accessing a legitimate government document.

Upon execution, this LNK file triggers a PowerShell script called “stage1.ps1,” initiating a complex chain of malware deployment.

This script not only downloads additional ransomware components but also opens politically themed YouTube videos, potentially to distract or mislead the victim further.

The initial ransomware note dropped on the infected system makes reference to DOGE, an initiative of the US administration, to add a layer of credibility and confusion.

This tactic aligns with recent headlines involving a DOGE member allegedly aiding cyber criminals, a narrative cleverly woven into the malware’s propaganda.

Payload Execution and Persistence

The ransomware payload, once executed, performs a series of checks to avoid detection in sandbox environments.

According to the Report, these checks include hardware and system-level verifications like processor count, RAM, and MAC address.

If these indicators suggest a non-sandboxed environment, the malware deploys its full capabilities.

The payload includes scripts like ‘Lootsubmit.ps1’ which gathers system information, including the IP address, CPU configurations, and uses APIs to determine the system’s geolocation, before exfiltrating this data to a remote server.

A critical part of this ransomware’s arsenal is ‘Ktool.exe’, a tool designed to escalate privileges by exploiting a vulnerability in the Intel Network Adapter Diagnostic Driver, allowing the malware to bypass security measures effortlessly.

FOG ransomware has been active since January this year, with a peak in February, affecting sectors ranging from technology to healthcare.

Its operators boast of having 100 victims, showcasing their reach and the effectiveness of their phishing tactics.

To defend against such sophisticated threats, organizations are recommended to implement robust security measures.

These include maintaining secure, up-to-date backups, employing network segmentation to restrict lateral movement within the network, and ensuring all software is regularly patched to mitigate known vulnerabilities.

Additionally, continuous employee training to identify phishing attempts is crucial, as the initial infection often stems from human error.

The use of FOG ransomware, combined with the strategic abuse of government initiative names like DOGE, underscores the evolving sophistication of cybercriminal tactics.

It highlights the importance of not just reactive measures but a proactive cybersecurity strategy to anticipate and neutralize such multifaceted threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!