GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses
The GodDamn ransomware, attributed to the Hyadina group, utilizes the PoisonX kernel driver to bypass endpoint security through a Bring Your Own Vulnerable Driver (BYOVD) attack. PoisonX is notable for possessing a valid Microsoft signature, allowing it to load automatically in Windows kernel mode without triggering standard integrity checks. The attack chain involves credential harvesting via NirSoft tools, lateral movement using PsExec, and persistent remote access established through auto-sta
Analysis
TL;DR
- The GodDamn ransomware, attributed to the Hyadina group, utilizes the PoisonX kernel driver to bypass endpoint security through a Bring Your Own Vulnerable Driver (BYOVD) attack.
- PoisonX is notable for possessing a valid Microsoft signature, allowing it to load automatically in Windows kernel mode without triggering standard integrity checks.
- The attack chain involves credential harvesting via NirSoft tools, lateral movement using PsExec, and persistent remote access established through auto-starting AnyDesk services.
- GodDamn represents an evolution of previous Hyadina ransomware families (Monster and Beast), demonstrating escalating sophistication in defense evasion techniques.
Why It Matters
This incident highlights the critical vulnerability of relying solely on code signing for driver integrity, as attackers can exploit legitimate signatures to load malicious kernel components. For security practitioners, it underscores the necessity of implementing advanced behavioral monitoring and driver allow-listing to detect unauthorized kernel activities, rather than depending exclusively on signature verification.
Technical Details
- PoisonX Driver: A malicious kernel driver signed by Microsoft, used to disable Antivirus (AV) and Endpoint Detection and Response (EDR) processes, strip their permissions, or blind them by tampering with kernel internal records.
- Defense Evasion Strategy: The attackers employ a BYOVD approach, leveraging the valid digital signature of PoisonX to ensure automatic loading by the Windows operating system upon gaining administrator privileges.
- Initial Access and Persistence: The intrusion involves credential theft from browsers, Windows Credential Manager, and network traffic, followed by lateral movement via PsExec and the installation of AnyDesk as a persistent auto-start service.
- Ransomware Specifics: File encryption uses the victim's name as the file extension in some variants, differing from the standard ".God8Damn" extension, and the ransom note directs communication via email or the qTox encrypted messaging app.
Industry Insight
Organizations must adopt a zero-trust architecture for kernel-level operations, specifically enforcing strict driver allow-listing and monitoring for unsigned or anomalous kernel module loads. Security teams should prioritize detecting behavioral indicators of compromise related to BYOVD attacks, such as sudden termination of security processes or unexpected changes in kernel object permissions, rather than focusing solely on file reputation.
Disclaimer: The above content is generated by AI and is for reference only.