GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses

GodDamn Ransomware: Latest Beast Rebrand Uses Malicious Driver to Disable Defenses
Symantec’s analysis shows that GodDamn is the latest rebrand of Beast, which traces back to Monster and is associated with the developer Hyadina. The attack used AnyDesk, a NirSoft credential-harvesting toolkit, PsExec, and the PoisonX driver to disable defenses and deploy the ransomware across multiple hosts. #GodDamn #Beast #Monster #Hyadina #AnyDesk #PsExec #PoisonX

Keypoints

  • GodDamn ransomware is assessed as a rebrand of Beast, which itself evolved from Monster first seen in 2022.
  • Symantec tracks the developer behind these ransomware families as Hyadina.
  • The intrusion began with AnyDesk and included a NirSoft-based credential-harvesting toolkit with multiple password recovery tools.
  • Attackers used a fake Symantec-labeled defense evasion tool and the PoisonX kernel driver to disable endpoint defenses.
  • PsExec was used for lateral movement, reconnaissance, and remote command execution across the enterprise network.
  • AnyDesk was configured for unattended access, persistence, and repeated deployment on at least 10 hosts.
  • Encrypted files were sometimes renamed with the victim organization’s name as the extension, which was unusual.

MITRE Techniques

  • [T1219 ] Remote Access Software – AnyDesk was used to obtain and maintain interactive remote control on compromised hosts (‘AnyDesk appeared on Computer 1’ and later was configured for unattended access).
  • [T1003 ] OS Credential Dumping – A NirSoft-based toolkit and Mimikatz were staged to collect stored credentials from browsers, Windows Credential Manager, Wi-Fi profiles, and other sources (‘the toolkit comprised 14 tools’ and included Mimikatz).
  • [T1021.002 ] SMB/Windows Admin Shares – Attackers mounted an administrative share on another host using stolen credentials (‘net use \192.168.0[.]25c$ /user:[REMOVED] [REMOVED]’).
  • [T1021.002 ] SMB/Windows Admin Shares – PsExec was used to push commands to remote targets through the service-based execution chain (‘all malicious commands during this phase shared a process lineage running through psexesvc.exe’).
  • [T1082 ] System Information Discovery – Basic system discovery was performed with commands like ipconfig and tasklist (‘The session opened with basic network and process reconnaissance’).
  • [T1562.001 ] Disable or Modify Tools – Windows Defender real-time monitoring was disabled (‘Set-MpPreference -DisableRealtimeMonitoring $true’).
  • [T1068 ] Exploitation for Privilege Escalation – PoisonX was used in a BYOVD-style attack to disable security software at the kernel level by abusing a signed driver (‘use a vulnerability in a legitimate driver’ and ‘It can terminate security-product processes’).
  • [T1543.003 ] Windows Service – AnyDesk was registered as auto-start Windows services for persistence (‘sc create AnyDeskService’ and ‘sc create AnyDesk_D’).
  • [T1053.005 ] Scheduled Task/Job: Scheduled Task – No explicit scheduled task was shown; omitted.
  • [T1202 ] Indirect Command Execution – PowerShell and cmd were used to launch tooling and run commands (‘cmd /c “start /b D:symantec.exe”’ and multiple PowerShell commands).
  • [T1105 ] Ingress Tool Transfer – The attackers staged multiple tools and scripts on the victim systems, including the credential toolkit and install_ad.ps1 (‘staged in the user Music folder’ and ‘pre-staged on the system drive’).
  • [T1070.004 ] File Deletion – The attackers terminated AnyDesk and rebooted the machine to complete deployment and reduce visibility (‘taskkill /f /im anydesk.exe’ and ‘shutdown -r -t 0’).

Indicators of Compromise

  • [IP addresses] AnyDesk relay connections observed from the first host – 15.235.230[.]188, 185.229.191[.]39, and other relay IPs
  • [File paths] Staging and execution locations for payloads – csidl_profilemusicanydesk.exe, csidl_profilemusicsymantec.exe, and csidl_profiledownloadsencrypter-windows-gui-x86.exe
  • [File hashes] Malware and tool samples linked to the campaign – 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d, b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8, and other 15 hashes
  • [File names] Deployed tools and ransomware binaries – anydesk.exe, g11.sys, and encrypter-windows-gui-x86.exe
  • [Service names] Persistence mechanisms created for remote access – AnyDeskService and AnyDesk_D
  • [Process/command artifacts] Lateral movement and defense evasion commands – psexesvc.exe, Set-MpPreference -DisableRealtimeMonitoring $true, and net use 192.168.0[.]25c$


Read more: https://www.security.com/threat-intelligence/goddamn-ransomware-beast-rebrand