dodged

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The malware appends .dodged (case-insensitive) to every encrypted file.
  • Renaming Convention:
    Original → <filename>.<original-ext>.id-<8-char-hex>.<victim-email>.dodged
    Example: Contract.docx becomes
    [email protected]

2. Detection & Outbreak Timeline

  • Approximate Start Date / Period: First large-scale sightings appeared late-January 2024, with telemetry spikes through March–April 2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Exploits unpatched CVE-2023-34362 (MOVEit Transfer) to plant web shell → reverse shell → ransomware payload.
  • Malicious email attachments masquerading as “MOVEit Security Update.exe”.
  • Brute-force attacks on exposed RDP (3389/TCP) followed by PSExec lateral movement.
  • Public-facing NAS devices using default credentials leveraged for rapid internal spread.

Remediation & Recovery Strategies

1. Prevention

  • Patch MOVEit Transfer to June 2023 cumulative build or later.
  • Disable SMBv1; enforce SMB signing and RDP NLA (Network-Level Authentication).
  • Segment networks; isolate SSH/RDP jump boxes.
  • Implement application allow-listing (AppLocker/WDAC) and MFA for admin consoles.
  • Use reputable mail-filtering & sandboxing solutions; block .exe, .js, and macro-enabled Office attachments by default.

2. Removal

  1. Physically disconnect affected machines from LAN/Wi-Fi.
  2. Identify active dodged.exe process via Task Manager/Process Explorer or Autoruns for persistence registry keys (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
  3. Boot into Safe-Mode-with-Networking.
  4. Run a full on-demand scan with reputable anti-malware (e.g., Microsoft Defender Offline, Malwarebytes, or Kaspersky Rescue Disk).
  5. Manually delete any residual scheduled tasks, services, or WMI event subscriptions created by dodged.
  6. Once clean, re-enable network adapter after patching appropriate CVE and updating anti-malware signatures.

3. File Decryption & Recovery

  • Recovery Feasibility: Currently decryption is not publicly possible – the variant uses AES-256 file encryption with per-file keys sealed by RSA-2048 (offline, attacker-held private key).
  • Essential Tools / Patches:
  • Patch MOVEit to current secure build (Progress Software advisory KB 74828).
  • Offline backups stored in immutable/cloud with WORM/lock-mode enabled (e.g., AWS S3 Object Lock, Azure immutable blob).
  • Keep offline bootable recovery disks ready (Microsoft DaRT, system repair discs).

4. Other Critical Information

  • Additional Precautions:
  • Dodged actively deletes Volume Shadow Copies and disables System Restore using vssadmin delete shadows /all and bcdedit /set recoveryenabled no. Ensure backups are completely offline or cloud-based.
  • Unique to dodged: includes a Rust-based loader that uses a bespoke packing algorithm, evading memory-based signatures for ~3–4 weeks after initial binaries surfaced.
  • Attempts lateral movement via discovered .ssh keys and stored browser passwords before encrypting network shares.
  • Broader Impact:
  • Several mid-size managed-service providers (MSPs) serving SMB customers saw 5–30% of client base hit in a single weekend.
  • Extortion note threatens data auction after 72 h; sample of exfiltrated SQL dumps usually uploaded to Mega.nz (now removed on discovery, but be prepared for potential leak).

Remain vigilant: new dodged samples continue to surface every few weeks, typically re-encoded minor strings but same crypto & extension, so defense signatures remain largely effective once updated.