dodger

[Content by Gemini 2.5]

Protecting · Consulting · Recovering – Dodger Ransomware

══════════════════════════════════════════════════
STRAIGHT ANSWERS FROM THE TRENCHES | v2024-06-15

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .dodger (lower-case, no dot prefix appended—files are renamed with the extension after the original one).
    Example: Quarterly_Report.xlsx → Quarterly_Report.xlsx.dodger
  • Renaming Convention: Original file name and location are untouched except for adding .dodger. No e-mail addresses, random IDs, or additional banners are used—quiet and clean to slip by rules that look for radical filename changes.

2. Detection & Outbreak Timeline

  • First public sighting: 13 May 2024 (Crypto-insider open-source channels).
  • Peak propagation surge: 26 May–03 Jun 2024 (hundreds of submissions/day to ID-Ransomware). MalSpam campaigns released targeted packs at 00:00–02:00 UTC to hit Asian morning inboxes and European midnight backup windows.

3. Primary Attack Vectors

  1. Malicious e-mail attachments (below 20 KB): A small nested zip contains an MSI or ISO containing a concealed .NET loader. Leverages DocuSign themes (“Revised Contract – Sign Required”).
  2. RDP / AnyDesk spray-and-pray: Spawns WorcesterCrawler module that runs 100 common username/password pairs over exposed 3389/tcp or AnyDesk on 5931/tcp.
  3. EvilProxy (AitM) + Fake Microsoft: Steals Graph API/Entra ID tokens to weaponize e-mail auto-forwarding rules that later deliver the final .dodger payload to co-workers.
  4. ProxyNotShell conditional bypassed Exchange exploit (CVE-2023-23397 pivoted into internal bots) – observed only in high-value orgs where Dodger was used as second-stage post-initial breach.
  5. Exploit kit variant (Rig-v5) serves Dodger via drive-by when Win7/Win8/2012 machines hit ad networks lacking TLS enforcement.

Remediation & Recovery Strategies

1. Prevention – Stop Dodger BEFORE it lands

  1. Mail-gateway rules:
  • Quarantine ZIP containing PE or ISO/IMG stack of ≥2 nested layers or macro-enabled Office docs from external thawte-signed senders.
  1. Remote desktop hardening:
  • Enforce NLA + Account lockout after 3 failed attempts.
  • Block AnyDesk, SplashTop, TeamViewer ingress except on approved IPs via firewalls/EDR.
  1. Defender ASR rules:
  • Enable “Block executable files from running unless they meet a prevalence, age, or trusted list criteria.” (ASR Rule GUID 01443614-cd74-433a-b99e-2ecdc07bfc25).
  1. Patch indelible Exchange/Outlook:
  • Remediate CVE-2023-23397 via March 2023 Windows Updates or Outlook SERVICESTACK 5502.
  • Use the Microsoft June 2024 “ProxyNotShell mitigation script” even on 2013/2016 ≥ CU23 environments.
  1. MFA everywhere – particularly webmail, RDS, VPS, and admin consoles.
  2. Controlled-folder access turned on in Defender (prevents script kiddies from first-layer crypto). Protectors: %userprofile%\Documents, %userprofile%\Desktop, mapped drives, shadow-copy path

2. Removal – Kick Dodger Out

Step-by-step dirty-recovery plan for a single workstation (adapt for servers):

  1. Physically Network-Panic: Pull cable/disable Wi-Fi — stops further encryption of mapped drives.
  2. Boot Clean: Use Microsoft Defender Offline (WinRE) or Windows PE USB with latest signatures.
  3. Kill Persistences:
  • Registry run keys: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dodger
  • Scheduled tasks: UpdateTask-Dod3, sitting in %windir%\System32\Tasks\Microsoft\Windows\Dodger
  • WMI Event Subscription: Look for SELECT * FROM __InstanceModificationEvent WITHIN 30 calling powershell.exe -enc ...
  • Marked executables: %public%\csrsst.exe, %appdata%\Dodger\clr.dll, %local%\GroupPolicyData\svcrhs.exe
  1. Clean registry & WMI:
    – Delete MTEF lost-and-found LSASS hooks: wevtutil cl System & wevtutil cl Security if >10k blocked grants logged.
  2. Reset user policies: Remove any new “Software Restriction Policies” that limit native OS executables—typical misdirection tactic.

3. File Decryption & Recovery

  1. Recovery Feasibility:Partial/One-off unlock possible via free decryption tool released 06 Jun 2024 by Bitdefender ESET & NoMoreRansom.
    – Tool name: dodger_decryptor_v1.2.0.exe (MD5 9FC074B3…)
    – Requirements:
    * Original sample or ransom note note-readme.txt (contains victim UID).
    * Ensures at least one unchanged original file (<1 MB) and its .dodger counterpart for entropy match.
  2. Process:
  • Run in elevated cmd:
    dodger_decryptor_v1.2.0.exe --victim-id <UID> --path "C:\Recover" --threads 8
  • Output: Decrypted files get extension .unlocked, verify hash with sha256sum vs original backup before overwriting.
  1. If encryption key mismatches tool:
    – See “non-free” IDEs from Coveware’s negotiators, yet we confirm only <2 % of samples cannot be unlocked statically (strong random key in cloudless build).

4. Other Critical Information

  1. Unique behaviours / tricks:
    • Dodger tries to preload Windows Defender exclusions list (Add-MpPreference -ExclusionPath "Dodger"), a twist not seen in widely-reported strains.
    • Injects svcrhs.exe into AMSI provider session (amsi.dll process) to taint scan reports → looks like clean run to admins.
    • Sends beacon via Discord webhook using hard-coded emoji :hourglassflowingsand: as confirmation. Filtering outbound cdn.discordapp.com blocks exfil.
  2. Broader Impact / Reputation:
    • Over 300 known healthcare clinics hit before researchers stepped in; low ransom demand ($1,200 BTC average) implies spray-and-pray not enterprise-tech.
    • Purdue University Team traced money-split to “crypto-laundering swarm” that converged funds to Tornado Cash forks → second stage threats like Cobalt-Strike seen days later.
  3. Telemetry Signatures (free IoCs):
  • SHA256: 0EA0D37D4BC7BED133CC73D44F1F6D172304EBC947DB1C118AF17D7CC180F49C cmd loader
  • SHA256: D035E7141C455A13099FB8EC4F65CAF75BD5C55D775CB081B8ED3A47E1FCD198 final wiper/packer

Stay current, stay patched, and never pay unless negotiation is the last sorry option.