Symantec’s analysis shows that GodDamn is the latest rebrand of Beast, which traces back to Monster and is associated with the developer Hyadina. The attack used AnyDesk, a NirSoft credential-harvesting toolkit, PsExec, and the PoisonX driver to disable defenses and deploy the ransomware across multiple hosts. #GodDamn #Beast #Monster #Hyadina #AnyDesk #PsExec #PoisonX
Keypoints
- GodDamn ransomware is assessed as a rebrand of Beast, which itself evolved from Monster first seen in 2022.
- Symantec tracks the developer behind these ransomware families as Hyadina.
- The intrusion began with AnyDesk and included a NirSoft-based credential-harvesting toolkit with multiple password recovery tools.
- Attackers used a fake Symantec-labeled defense evasion tool and the PoisonX kernel driver to disable endpoint defenses.
- PsExec was used for lateral movement, reconnaissance, and remote command execution across the enterprise network.
- AnyDesk was configured for unattended access, persistence, and repeated deployment on at least 10 hosts.
- Encrypted files were sometimes renamed with the victim organization’s name as the extension, which was unusual.
MITRE Techniques
- [T1219 ] Remote Access Software – AnyDesk was used to obtain and maintain interactive remote control on compromised hosts (‘AnyDesk appeared on Computer 1’ and later was configured for unattended access).
- [T1003 ] OS Credential Dumping – A NirSoft-based toolkit and Mimikatz were staged to collect stored credentials from browsers, Windows Credential Manager, Wi-Fi profiles, and other sources (‘the toolkit comprised 14 tools’ and included Mimikatz).
- [T1021.002 ] SMB/Windows Admin Shares – Attackers mounted an administrative share on another host using stolen credentials (‘net use \192.168.0[.]25c$ /user:[REMOVED] [REMOVED]’).
- [T1021.002 ] SMB/Windows Admin Shares – PsExec was used to push commands to remote targets through the service-based execution chain (‘all malicious commands during this phase shared a process lineage running through psexesvc.exe’).
- [T1082 ] System Information Discovery – Basic system discovery was performed with commands like ipconfig and tasklist (‘The session opened with basic network and process reconnaissance’).
- [T1562.001 ] Disable or Modify Tools – Windows Defender real-time monitoring was disabled (‘Set-MpPreference -DisableRealtimeMonitoring $true’).
- [T1068 ] Exploitation for Privilege Escalation – PoisonX was used in a BYOVD-style attack to disable security software at the kernel level by abusing a signed driver (‘use a vulnerability in a legitimate driver’ and ‘It can terminate security-product processes’).
- [T1543.003 ] Windows Service – AnyDesk was registered as auto-start Windows services for persistence (‘sc create AnyDeskService’ and ‘sc create AnyDesk_D’).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task – No explicit scheduled task was shown; omitted.
- [T1202 ] Indirect Command Execution – PowerShell and cmd were used to launch tooling and run commands (‘cmd /c “start /b D:symantec.exe”’ and multiple PowerShell commands).
- [T1105 ] Ingress Tool Transfer – The attackers staged multiple tools and scripts on the victim systems, including the credential toolkit and install_ad.ps1 (‘staged in the user Music folder’ and ‘pre-staged on the system drive’).
- [T1070.004 ] File Deletion – The attackers terminated AnyDesk and rebooted the machine to complete deployment and reduce visibility (‘taskkill /f /im anydesk.exe’ and ‘shutdown -r -t 0’).
Indicators of Compromise
- [IP addresses] AnyDesk relay connections observed from the first host – 15.235.230[.]188, 185.229.191[.]39, and other relay IPs
- [File paths] Staging and execution locations for payloads – csidl_profilemusicanydesk.exe, csidl_profilemusicsymantec.exe, and csidl_profiledownloadsencrypter-windows-gui-x86.exe
- [File hashes] Malware and tool samples linked to the campaign – 2d91a78e739891c9854c254f5b2a6b84c0e167dfa253466cbccd2cdd1c20145d, b29f91a440527fb621d106a2048f6379fff3263c60aeda9c82ff8c1d5ae880a8, and other 15 hashes
- [File names] Deployed tools and ransomware binaries – anydesk.exe, g11.sys, and encrypter-windows-gui-x86.exe
- [Service names] Persistence mechanisms created for remote access – AnyDeskService and AnyDesk_D
- [Process/command artifacts] Lateral movement and defense evasion commands – psexesvc.exe, Set-MpPreference -DisableRealtimeMonitoring $true, and net use 192.168.0[.]25c$
Read more: https://www.security.com/threat-intelligence/goddamn-ransomware-beast-rebrand