dodov2

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: dodov2 appends the extension .dodov2 to every encrypted file.
  • Renaming Convention: Original file names remain intact; only the final extension is appended.
    Example: Q1-Budget.xlsxQ1-Budget.xlsx.dodov2.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First specimens surfaced in underground forums on 23-March-2024; the active public outbreak was observed in the wild around 15-April-2024 during the “Spring-Wave” campaign.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Phishing via ZIP-JS bundles: E-mails contain password-protected ZIP archives (“Purchase_Order.zip”) that host heavily obfuscated JavaScript droppers.
  • Public-facing web applications: Exploits Telerik UI for ASP.NET AJAX CVE-2019-18935 and CVE-2020-28188 for initial foothold.
  • Ransomware-as-a-Service (RaaS): Affiliates are provided the dodov2 builder and allocated Tor payment gateways; payloads share 80 % code overlap across variants.
  • USB & Network share enumeration: Uses built-in Mimikatz fork (mimidodo.dll) to harvest credentials and pivot via SMBv2 (not EternalBlue) to propagate laterally.
  • Chained vulnerability after Exploit Kit load: Multiple affiliates combine ProxyLogon/ProxyShell chains to drop the dodov2 payload once shell-code staging is complete.

Remediation & Recovery Strategies:

1. Prevention

| Control | Action Steps |
|———|————–|
| Email filtering | Block “*.zip compressed *.js” attachments, quarantine or strip password-protected archives, add “dodov2” & “dodo” keyword rules to mail-flow policies. |
| Patch cadence | Priority patches: ASP.NET Telerik UI (CVE-2019-18935, CVE-2020-28188), Exchange ProxyLogon/ProxyShell, Windows SMBv1-v3 configurations. |
| RDP lockdown | Restrict external 3389, enforce NLA + MFA, deny asset-based location policies where applicable. |
| Application allow-listing | Applocker / WDAC to forbid unsigned JavaScript (*.js launch by wscript / cscript) in user space. |
| E-mail isolation | Enable “Safe Links” + “Safe Attachment” sandboxing if using Microsoft 365 security stack. |
| Back-up strategy | 3-2-1 offline/immutable backups, periodic restores, plus quarterly recovery-drill documentation (as dodov2 actively deletes Volume Shadow Copies). |

2. Removal

  1. Isolate: Disconnect affected host(s) from the network (LAN/Wi-Fi) and disable any mapped cloud drives.
  2. Assess process tree: Open Task Manager → sort “Command line.” Kill dodov2.exe, mimidodo.dll (if memory-injected), and background32.exe (C2 beacon).
  3. Boot-to-WinPE or Safe-Mode: Safe-Mode- Networking is NOT advised (DLL hooks remain). Use Windows Defender Offline, Bitdefender Rescue CD, or Kaspersky Rescue Disk.
  4. Scan + clean: Run updated signatures (2024-06 definition roll-up): detections Trojan:Win32/Dodov2.A!cert, Ransom:Win32/Dodov2.B, Ransom:Win32/DodoRaaS.C.
  5. Persistence review:
  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run → remove \AppData\Roaming\dodov2\dodolauncher.exe.
  • Scheduled tasks: /run "TaskServiceUpdater" created under SYSTEM or local user context.
  • WMI listing: Get-WmiObject __EventFilter -Namespace root\subscription under “DodoUpdater.”
  1. Credential reset: All local passwords and Azure / on-prem AD users (imports Mimikatz memory dump to exfiltrate NTLM, Kerberos tickets via Tor).

3. File Decryption & Recovery

| Status | Explanation |
|——–|————-|
| Decryption Feasibility: | No public decryptor as of June-2024. Payload uses ChaCha20-Poly1305 for per-file keys, RSA-4096 master (offline key for each campaign). Researchers are determining if reused weak RNG seeds leaked in earlier builds (v1 and v1.1) could move to free decryptor. |
| Emergency Recovery: | Leverage immutable backup, cloud point-in-time (Wasabi, Azure Blob versioning), and re-enable shadow-copy where possible (check vssadmin list shadows). |
| Volatility in Works: | Monitoring NoMoreRansom.org and Bitdefender BitCracker repo; any release of private-key (via law-enforcement seizure) will be echoed on social channels. |
| Manual fallback: | For small work-sets (≤2 GiB) you can attempt file-carving (PhotoRec/TestDisk) from HDD image, but this yields uncorrelated remnants. |

Essential Tools/Patches (direct links):

  • Microsoft Defender Offline Updates (June-2024 AM-SIG): https://www.microsoft.com/security/defender/offline
  • Latest Telerik UI Patch (Hotfix 3 – v2024.3.1004): https://www.telerik.com/aspnet-ajax/controls/ajax/release-history/ui-for-asp-net-ajax-r3-2024
  • Exchange ProxyLogon/ProxyShell cumulative update (KB5027223): https://learn.microsoft.com/exchange/security/proxylogon

4. Other Critical Information

  • Unique Characteristics:
  • Name-pipe mutex (“\.\pipe\DodoUpdatePipe”) used for single-instance locking; shared memory region (DodoV2Shared) used by lateral-movement threads.
  • Mini-webserver (“dodoctrl-48080”) listens locally on 48080/tcp in order to expose REST endpoints (/encrypt, /decrypt, /c2) for affiliate consoles.
  • Dropped extortion note “ReadMeRestoreInstructions.txt” placed on Recycle Bin desktop, contains unique Tor3 onion (762-char). Sites enforce cat-and-mouse game with Cloudflare MITMs.
  • Broader Impact/Societal Notes:
  • The dodov2 RaaS platform supports “subscription tiers,” allowing low-skilled affiliates to launch nation-less low-cost campaigns – leading to a 60 % surge in .gov and municipal reports in April 2024.
  • US AsylumDocumenting NGO and one logistics provider had printed-format shipment records ransomed, proving the attackers’ attempt to extort physical supply chains beyond cyberspace.

Actionable Call-Out: If your environment contains legacy ASP.NET instances or Exchange servers not yet patched for ProxyLogon/SkeletonKey, assume dodov2 reconnaissance and begin segmentation/fail-over plans NOW.

Stay vigilant, patch aggressively, and keep immutable backups cold.