CyberSecurity SEE

Ransomware Attack Leverages PsExec for Lateral Movement and NirSoft Toolkit for Credential Theft

Ransomware Attack Leverages PsExec for Lateral Movement and NirSoft Toolkit for Credential Theft

Analysis of the GodDamn Ransomware Incident

Recently, a targeted attack attributed to the GodDamn ransomware has come to light, showcasing a notable evolution in cybersecurity threats. Although the payload itself is not entirely new, it represents the latest rebranding of a long-established family of malware. This specific incident has led cybersecurity experts to realize that there is significant code overlap with another well-known ransomware, Beast, which is recognized as a 2024 rebranding of an earlier strain known as Monster. Additionally, the operational strategies used in this latest attack closely resemble campaigns previously conducted by the same group known as Hyadina.

Tactical Approach of the Attack

The attack, which occurred between late May and early June 2026, began with the execution of AnyDesk from a suspicious location—specifically, a user’s Music folder. This suggests that the deployment was carried out manually by an operator who had gained prior access to the targeted system. The AnyDesk client was configured for unattended access, employing methods that suppressed user consent prompts and ensured persistence across system reboots.

This sophisticated approach allowed attackers to maintain interactive control of the system while minimizing behaviors that could raise alarms. By utilizing such stealth mechanisms, the attackers could remain under the radar, enhancing their chances of executing a successful infiltration.

Credential Harvesting Techniques

The systematic collection of credentials is another notable aspect of the attack. Investigative teams uncovered a carefully staged toolkit that was located under a user profile, featuring Mimikatz alongside fourteen different NirSoft utilities, including WebBrowserPassView, ChromePass, and several others designed to capture password data across various platforms. This extensive arsenal enabled attackers to target browsers, email clients, and even Windows Credential Manager, facilitating rapid credential harvesting.

Additionally, tools like Netscan were utilized for host discovery, which allowed the attackers to execute lateral movement within the network. This capability is crucial for executing additional attacks or compromising more systems once initial access has been gained.

The Symantec Threat Hunter Team has been tracking the developer behind these families of ransomware, pinpointing them to Hyadina. The group first documented the Monster strain in 2022, and detailed indicators from that time provide a clear link to the current activity being observed.

Lateral Movement and Initial Reconnaissance

The methodology employed during the lateral movement phase involved PsExec, with all malicious commands traced back to key Windows processes such as psexesvc.exe, services.exe, and wininit.exe. This confirms that the attack utilized a PsExec-based distribution model, thereby amplifying the scale of the operation.

During their initial reconnaissance, the attackers executed commands like ipconfig and tasklist to gather information, while also mounting administrative shares through the use of harvested credentials. The installation of AnyDesk on compromised hosts further exemplifies the attackers’ intentions to establish a robust remote-access network.

Kernel-Level Defense Evasion

A particularly alarming feature of this operation was the deployment of a kernel-level defense evasion tactic. Operators used a technique that involved impersonating a legitimate Symantec binary, which allowed them to deploy a signed kernel driver known as PoisonX into the system’s driver store. This malicious driver carries a signature that appears legitimate and is attributed to the “Microsoft Windows Hardware Compatibility Publisher,” thereby enabling it to disable key security processes and eliminate user-mode hooks.

The use of such a sophisticated driver grants attackers extraordinary capabilities to bypass endpoint defenses. While traditional attacks typically exploit vulnerable drivers, PoisonX stands out due to its ability to masquerade as a legitimate driver, creating a significant threat to organizational infrastructure.

The Encryption Phase

After gathering credentials and neutralizing defenses—such as programmatically disabling the real-time monitoring of Windows Defender—the operators allowed a dwell time prior to initiating encryption. The samples of GodDamn ransomware revealed in user profile directories mostly encrypted files with a .God8Damn extension. In certain cases investigated by Symantec, the attackers opted to use the victim organization’s name as an extension, a strategy that may prove beneficial for attribution in future incidents.

The timeline and the toolkit employed align closely with Hyadina’s historical patterns of operation, including their evolution from Monster in 2022, to Beast in 2024, and now to GodDamn. The persistent use of NirSoft utilities for credential gathering, AnyDesk for remote access, and the methodical refinement of encryption techniques serve as a reminder that cybersecurity threats are evolving and require vigilant responses.

Conclusion

This incident underscores the need for improved cybersecurity protocols and a deeper understanding of emerging threats. Organizations must reevaluate their defenses to address the new tactics being employed by ransomware operators like Hyadina. As demonstrated by the GodDamn ransomware attack, proactive measures, continuous monitoring, and immediate response strategies are crucial to mitigating risks and safeguarding sensitive data.

Source link

Exit mobile version