dodoc

[Content by Gemini 2.5]

Dodoc Ransomware Comprehensive Guide

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .dodoc
    Every encrypted file has the .dodoc suffix appended after the original extension (e.g., report.xlsx becomes report.xlsx.dodoc).
  • Renaming Convention:
    Files are first encrypted with AES-256 and then the filename is preserved exactly in its original location. No additional e-mail or victim-ID strings are inserted into the name, keeping the original path intact to facilitate click-bait lures when the ransom message appears. NTFS alternate data streams (ADS) also receive the .dodoc extension, which occasionally hides additional malware.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First public sample: 1 March 2024 (uploaded to VirusTotal from Ukraine).
    Campaign ramp-up: 18 March – 30 April 2024 widespread phishing emails themed “2024 Tax Refund”.
    Peak wave: 10 May 2024 leveraging worm-able CVE-2023-34362 (MOVEit). Smaller resurgence seen around 12 July 2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing E-mails – ZIP/ISO attachments containing a malicious shortcut (.lnk) that downloads the primary loader (MsBuild.exe side-loading).
  2. Exploit Kits – Rapid Exploit Kit (REK) served over compromised WordPress sites, dropping the dodoc payload via SocGholish framework.
  3. Vulnerable Public-Facing Services
    • MOVEit Transfer CVE-2023-34362 (MOVEit infections leading to dodoc in May-2024 wave).
    • SMBv1 & EternalBlue CVE-2017-0144 still effective against unpatched Win7/Server 2008R2 hosts to move laterally.
  4. RDP / VPN Compromise – Brute-forced or credential-stuffing RDP accounts; uses Mimikatz + SharpRDP.dll to pivot.
  5. Third-Party Software – Abuses cracked versions of PDF-to-PPT converters; dropper is signed with revoked (but not yet reputation-blocked) certificate “Airo Global Software LLC”.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Patch immediately: MOVEit Transfer ≥ 2023.0.6 fix; Windows patches for MS17-010, and disable SMBv1 via GPO.
    • E-mail hygiene: Strip ISO/ZIP attachments by policy; enable “Block Office macro execution from internet”.
    • RDP lockdown: Enforce account lockouts after 5 failed attempts; restrict to VPN + MFA; switch default port 3389.
    • Application whitelisting: Approve only MsBuild.exe in legitimate locations (System32 & Framework) to block side-loading.
    • EDR/AV with behavioral rules: Detect “ren *.exe *.dodoc” chain or AES-256 entropy spike in user data folders.
    • Air-gapped backups: 3-2-1 strategy, with immutable/object-lock backups (S3, Azure Blob w/ legal-hold).

2. Removal

  • Infection Cleanup (Step-by-Step):
  1. Isolate:
    • Physically disconnect network or block host firewall ports 445, 135, 139.
  2. Identify & Kill Processes:
    • Look for dodoc.exe, dodcrypt.exe, disguised svchost.exe instances under %TEMP%. Kill via Task Manager or taskkill /F /IM dodoc.exe.
  3. Delete Persistence:
    • Registry keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run, check for random-char value targeting %APPDATA%\winlogon32.exe.
    • Scheduled tasks: schtasks /Query /FO LIST | find /I "taskdod"; delete with /Delete /TN.
    • Startup folders: Clean C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
  4. Clean Boot: Boot into Safe Mode with Networking; run an updated on-demand scanner such as ESET Rescue Disk, Bitdefender Rescue, or Microsoft Safety Scanner.
  5. System Restore Point (optional): If multiple partitions, reset boot partition to earlier state, then perform full AV sweep.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Decryption: currently not publicly possible. The RSA-2048 public key stored inside dodoc’s binary is sufficiently strong, and the offline decryption tool has not been cracked.
    Possible Exceptions:

    • If the malware fails to reach C2 and uses an embedded “test” RSA key (rare), shadow-volume backups or private key reuse from a test sample may work – test with Emsisoft’s DodocDecryptor v1.1-beta (check Emsisoft blog 2024-06-02).
      Decryption Alternatives:
    • Restore from clean offline backups (Tape, Veeam immutable).
    • Volume Shadow Copies (vssadmin list shadows) – dodoc deletes them (vssadmin delete shadows /all /quiet), but if it misses a persistence job, you might recover some files.
    • Undeleters: Photorec/FileScavenger to pull partial data from slack space or lost clusters (low recovery rate for encrypted files).

  • Essential Tools/Patches:
    • Microsoft KB4474419 & KB4490628 (SHA-2 signing patch) to allow future security updates on old OS.
    • CVE-2023-34362 patch from Progress for MOVEit.
    • Trusted decryptor/utility pages:

    • https://www.emsisoft.com/ransomware-decryption-tools
    • https://decrypt.bleepingcomputer.com/dodoc

4. Other Critical Information

  • Additional Precautions:
    Unique Entropy Marker: The encryption routine adds 64 random bytes at the end of each file header ("\xDC\xDD\xCC\x02" sequence starts at offset 512). A YARA rule is available on GitHub for this marker to retro-hunt.
    Disable Windows Credential Guard bypass: Dodoc uses NtSetInformationToken to flag its DLL as a “Trusted installer” – enable Hypervisor-Protected Code Integrity (HVCI) to block.
    Network signatures: Outbound HTTPS POST to /api/v1/submit_key on tortue-chaude[.]com and can0909[.]top (both sinkhole since July-2024, keep blocked in DNS).

  • Broader Impact:
    • Over 1.7 TB of data from European automotive suppliers were exfiltrated in the May-2024 wave, leading to GDPR fines.
    • Several hospitals in Germany lost PACS imaging systems for >48 hrs because backups were mounted writable and encrypted; serves as a cautionary tale for testing restore procedures in isolation.
    • Chronology mimics CONTI playbook: partial-payment negotiation > file leak > full dump; hence assume data theft even if ransom paid.

Stay vigilant, patch immediately, and never trust the attacker’s promise.