Cyble researchers have uncovered ransomware called DOGE BIG BALLS, a ransomware that not just stands out but also presents its technical prowess for audacious psychological manipulation.
This malware campaign intricately weaves together advanced exploitation techniques, social engineering, and a deliberate attempt to misattribute blame, notably linking itself to Edward Coristine, a 19-year-old software engineer associated with Elon Musk’s DOGE initiative.
The Genesis of the DOGE BIG BALLS Attack: A Deceptive ZIP File
The attack begins with a seemingly innocuous ZIP file titled “Pay Adjustment.zip,” typically disseminated through phishing emails. Inside, a shortcut file named “Pay Adjustment.pdf.lnk” awaits unsuspecting victims.
Upon activation, this shortcut silently executes a series of PowerShell commands that initiate a multi-stage infection process.
The first script, stage1.ps1, checks for administrative privileges. If detected, it proceeds to download and execute a modified version of Fog ransomware, masquerading as “Adobe Acrobat.exe” within a hidden folder in the system’s startup directory.
This stealthy placement ensures that the ransomware runs with elevated privileges, bypassing standard security measures.
Exploiting Kernel Vulnerabilities: The CVE-2015-2291 Flaw
A pivotal aspect of this attack is the exploitation of CVE-2015-2291, a vulnerability in Intel’s Ethernet diagnostics driver (iqvw64e.sys). This flaw allows attackers to execute arbitrary code with kernel-level privileges through specially crafted IOCTL calls. By leveraging this vulnerability, the attackers can escalate their privileges, disable security logging, and maintain persistence within the compromised system.
The malicious tool ktool.exe is responsible for this exploitation. It installs the vulnerable driver as a kernel-mode service, granting the ransomware process direct access to kernel memory. This access facilitates the injection of the SYSTEM process token into the ransomware, effectively elevating its privileges and enabling it to disable security mechanisms.
Psychological Manipulation: The “DOGE BIG BALLS” Branding
The ransomware’s name, “DOGE BIG BALLS,” is a deliberate attempt to associate the attack with Edward Coristine and the DOGE initiative. Coristine is a prominent figure in the tech community, known for his involvement with Elon Musk’s Department of Government Efficiency (DOGE). By incorporating his name and the DOGE reference, the attackers aim to create confusion and misdirect any investigations.
The ransom note further compounds this misdirection by including Coristine’s personal details, such as his home address and phone number.
This tactic serves to intimidate the victim and divert attention from the true perpetrators.
Advanced Reconnaissance and Geolocation Techniques
Beyond encryption, the attackers employ new methods to gather intelligence about their victims. The lootsubmit.ps1 script collects extensive system and network information, including hardware IDs, firewall states, network configurations, and running processes. This data is transmitted to the attackers via a cloud hosting platform, aiding in further profiling and potential future attacks.
Notably, the attackers utilize the Wigle.net API to determine the victim’s physical location. By querying the MAC address of the victim’s router (BSSID), they can pinpoint the exact geographic location, offering more precise geolocation than traditional IP-based methods.
The Role of Havoc C2 Beacon in Post-Exploitation
Embedded within the attack is a Havoc C2 beacon (demon.x64.dll), indicating the attackers’ potential to maintain long-term access or conduct additional post-encryption activities. This beacon facilitates communication with the attacker’s command and control infrastructure, enabling them to issue further instructions or exfiltrate additional data from the compromised system.
The Involvement of Edward Coristine: A Case of Misattribution
Edward Coristine’s name appears prominently in the ransom note, accompanied by his personal contact information. This inclusion is a strategic move by the attackers to mislead investigators and the public into believing that Coristine is responsible for the attack. In reality, Coristine has no involvement in this cybercrime. The use of his name is a calculated attempt to exploit his association with the DOGE initiative and create a false narrative.
Coristine’s involvement with DOGE, a project aimed at promoting efficiency and transparency in government operations, has made him a recognizable figure in the tech community. By associating his name with the ransomware, the attackers seek to capitalize on his public profile to lend credibility to their demands and confuse potential investigators.
Conclusion
To fight against DOGE BIG BALLS ransomware attacks, which skillfully combine technical prowess, psychological manipulation, and strategic misdirection—including the false attribution to Edward Coristine—organizations and individuals must adopt a proactive and layered defense strategy.
Effective mitigation begins with enforcing strict execution policies to block untrusted LNK files and PowerShell scripts, while consistently monitoring PowerShell activity for anomalies. Deploying advanced Endpoint Detection and Response (EDR) solutions capable of identifying fileless malware and suspicious behavior is essential.
Limiting administrative privileges through Role-Based Access Control (RBAC) and monitoring for privilege escalation attempts can further reduce exposure. Additionally, blocking unauthorized outbound connections to services like Netlify and external APIs such as Wigle.net is crucial for preventing data exfiltration and geolocation tracking.
