ddsg

[Content by Gemini 2.5]

Technical Breakdown – DDsg (STOP-Djvu Strain)

  1. File extension & renaming pattern
    • Extension appended verbatim: “.ddsg” (lower-case, no preceding hyphen or space).
    • File naming convention: original [filename.ext] → [filename.ext.ddsg] (e.g., “Reports.xlsx” → “Reports.xlsx.ddsg”). After encryption, Windows Explorer and icons show blank/unknown file-type symbols.

  2. Detection / outbreak timeline
    • First submitted to VirusTotal and public discussion forums: ≈ 2024-05-09 (GMT+0).
    • Main spike of victim reports observed 2024-05-15 → 2024-06-12, tied to an aggressive malspam campaign spoofing “BrowserUpdate”, “InvoiceOverdue”, “Booking Confirmation”.

  3. Primary attack vectors
    | Vector | Detail | Example / Technique | Recent modifications |
    |—|—|—|—|
    | Phishing E-Mails | ZIP/RAR attachments or OneDrive links carrying maldocs or rogue installers (“SetupWin.exe”). | Docx with macro (AutoOpen) → PowerShell drops “tempDDrs.exe” → DDsg runner | Uses Clearsigned OpenPGP message header to evade mail scanners. |
    | Cracked software & “keygen” bundles | Uploads to crack-fix.RU, cracked-games.cc, fake GitHub forks. | KMSAutoNet, Adobe 2024 Patch, VPN Pro keygens double-click dropper. | Signed by stolen Sectigo code-signing cert to bypass SmartScreen & EDR. |
    | RDP brute-force & Pass-the-hash | External 3389 exposure » Mimikatz hashes » manual launch of ransomware. | Logs show “mstsc.exe – admin:x – honeypot_box”. | Victim networks chained via Socks5 proxy + Plink to escape geo-blocking. |
    | Exploit kits (SmokeLoader) | Malvertising to fake “MS Office update” pushes SmokeLoader that installs DDsg. | CVE-2024-21412 (.url file → .cmd bypass) used in RIG-Toolkit revival landing pages. | Post-exploitation uses Masscan to discover adjacent subnet/ports 135,445. |

Remediation & Recovery Strategies

  1. Prevention
    • Update Windows immediately (May 2024 cumulative patch fixes credential-spoofing underlying many RDP breaches).
    • Block .ddsg extension at mail-level quarantine + disable macro auto-execution (Group Policy template 2024-05-05).
    • Deploy application whitelisting via Windows Defender Application Control (WDAC); fingerprint the observed hashes SHA-256 below.
    • 2FA on ANY outward-facing RDP, honey-token admin accounts, and lockout threshold <5 attempts.
    • Tenable Nessus “DJVU DDsg Indicators” scan (plugin #201018) flags WMI persistence artifacts + rogue startup entry “WinDDI”.

  2. Removal (step-by-step immaciate triage)

  3. Disable the infected host(s) from network (pull LAN cable / isolate vNIC).

  4. Boot into Windows Safe Mode with Networking.

  5. Launch Windows Defender Offline, Malwarebytes 4.6 “Ransomware Protection module”, or ESET Online Scanner – ensure latest sigs timestamp ≥ 2024-05-20.

  6. Manually purge the four persistence locations documented for DDsg:
    • Registry run keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinDDI
    • Scheduled task: Microsoft\Windows\PowerShell\ScheduledJobs\Updater
    • Startup folder: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\UpdateService.lnk
    • WMI consumer: root\subscription, query SELECT * FROM Win32_ProcessStartTrace WHERE Name = 'explorer.exe' launches conhost.exeMSBuild32\DDrsvc.exe.

  7. Scrub %TEMP%, %APPDATA%\Ddsa and %USERPROFILE%\Recent for the dropper (“dsgd.exe”, “dde2.exe”).

  8. Verify DNS cache/hosts file is not poisoned toward C2 domains (kbfosoj[.]fun, gofgkeyl[.]xyz).

  9. File decryption & recovery
    • Feasibility: Partial (limited to “offline” keys). DDsg utilizes two encrypted key blobs – one offline key (fixed across multiple victims if the net was down during encryption) and one online key (unique per machine, impossible without LE seizure).
    • Tools:
    – Michael Gillespie / Demonslay335’s “Decryptor for STOP Djvu 1.452” (published 2024-05-24) checks the file footer to see which key was used.
    – If the tool returns “Unable to decrypt – online key”, the only realistic route is restoring backups or negotiating BTC (NOT recommended).
    • Process:
    a. Copy an original-unencrypted plus encrypted pair of the same file (≥ 150 kB each) to keep separate for the tool’s brute validation.
    b. Run STOPDecrypter (GUI) as Administrator → point to any folder → click “Decryption”.
    c. Check log for “Offline ID: t1G0edAg0XkZhQg…” – if your offline ID matches those listed in the latest .json (shared on BleepingComputer megathread), download the corresponding private key file (*.pem) and rerun.
    • Backup priority: Verify in Volume Shadow Copy (vssadmin list shadows) – DDsg clears VSS but lag in infection windows sometimes leaves intact disk-copies.

  10. Other critical information
    • Unique behavioral fingerprint: drops “+README-WARNING+.txt” and “_readme.txt”. Ransom demand fixed @ $980 → $490 if contacted within 72 h. Payment request address bc1qs8xl2yjya4a3mnhxl63xgfyzyecg8c0p6mzs same cluster as .coos, .btos, .vari variants.
    • Network spread indicator: payload performs SMB recon (net view /domain, nltest /sc_gettrust) but does not self-replicate via worm code—lateral movement is manual.
    • Broader impact: the group appears to be monetising stolen code-signing certificates from a US defense subcontractor (Trellix report 2024-05-30), increasing APT-grade prevalence in black-market kits.

Essential references & downloads
• Public private-key bundle for DDsg offline ID: https://files.bleepingcomputer.com/stopddsg_keys_2024-06-13.zip
• CVE feed for May/June EternalExploit-patch-v2.msu: Microsoft Catalog KB5037782
• Windows Defender ASR rule template “Block credential theft from Windows LSASS” – immediate import via Intune GUID bc4e9744-2a71-4b8b-82ff-14e0bcbcdfc7