AI Security AI安全 1d ago Updated 1d ago 更新于 1天前 46

GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses GodDamn勒索软件使用PoisonX驱动程序禁用端点防御

The GodDamn ransomware, attributed to the Hyadina group, utilizes the PoisonX kernel driver to bypass endpoint security through a Bring Your Own Vulnerable Driver (BYOVD) attack. PoisonX is notable for possessing a valid Microsoft signature, allowing it to load automatically in Windows kernel mode without triggering standard integrity checks. The attack chain involves credential harvesting via NirSoft tools, lateral movement using PsExec, and persistent remote access established through auto-sta GodDamn勒索软件是Hyadina组织开发的Beast/Monster系列的重新品牌化版本,于2026年5月首次被发现。 攻击者利用经微软签名的恶意内核驱动PoisonX(g11.sys)执行BYOVD攻击,以禁用端点防御。 初始访问阶段结合AnyDesk远程控制和NirSoft凭证窃取工具,广泛提取浏览器、系统及服务器的敏感凭据。 横向移动通过PsExec实现,并在目标主机上部署伪装成服务的AnyDesk以实现持久化存活。 勒索信要求受害者通过电子邮件或qTox加密通讯应用联系攻击者,文件扩展名有时使用受害者姓名而非标准后缀。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • The GodDamn ransomware, attributed to the Hyadina group, utilizes the PoisonX kernel driver to bypass endpoint security through a Bring Your Own Vulnerable Driver (BYOVD) attack.
  • PoisonX is notable for possessing a valid Microsoft signature, allowing it to load automatically in Windows kernel mode without triggering standard integrity checks.
  • The attack chain involves credential harvesting via NirSoft tools, lateral movement using PsExec, and persistent remote access established through auto-starting AnyDesk services.
  • GodDamn represents an evolution of previous Hyadina ransomware families (Monster and Beast), demonstrating escalating sophistication in defense evasion techniques.

Why It Matters

This incident highlights the critical vulnerability of relying solely on code signing for driver integrity, as attackers can exploit legitimate signatures to load malicious kernel components. For security practitioners, it underscores the necessity of implementing advanced behavioral monitoring and driver allow-listing to detect unauthorized kernel activities, rather than depending exclusively on signature verification.

Technical Details

  • PoisonX Driver: A malicious kernel driver signed by Microsoft, used to disable Antivirus (AV) and Endpoint Detection and Response (EDR) processes, strip their permissions, or blind them by tampering with kernel internal records.
  • Defense Evasion Strategy: The attackers employ a BYOVD approach, leveraging the valid digital signature of PoisonX to ensure automatic loading by the Windows operating system upon gaining administrator privileges.
  • Initial Access and Persistence: The intrusion involves credential theft from browsers, Windows Credential Manager, and network traffic, followed by lateral movement via PsExec and the installation of AnyDesk as a persistent auto-start service.
  • Ransomware Specifics: File encryption uses the victim's name as the file extension in some variants, differing from the standard ".God8Damn" extension, and the ransom note directs communication via email or the qTox encrypted messaging app.

Industry Insight

Organizations must adopt a zero-trust architecture for kernel-level operations, specifically enforcing strict driver allow-listing and monitoring for unsigned or anomalous kernel module loads. Security teams should prioritize detecting behavioral indicators of compromise related to BYOVD attacks, such as sudden termination of security processes or unexpected changes in kernel object permissions, rather than focusing solely on file reputation.

TL;DR

  • GodDamn勒索软件是Hyadina组织开发的Beast/Monster系列的重新品牌化版本,于2026年5月首次被发现。
  • 攻击者利用经微软签名的恶意内核驱动PoisonX(g11.sys)执行BYOVD攻击,以禁用端点防御。
  • 初始访问阶段结合AnyDesk远程控制和NirSoft凭证窃取工具,广泛提取浏览器、系统及服务器的敏感凭据。
  • 横向移动通过PsExec实现,并在目标主机上部署伪装成服务的AnyDesk以实现持久化存活。
  • 勒索信要求受害者通过电子邮件或qTox加密通讯应用联系攻击者,文件扩展名有时使用受害者姓名而非标准后缀。

为什么值得看

本文揭示了高级勒索软件团伙在防御规避技术上的最新演进,特别是利用合法签名驱动进行内核级攻击的趋势,这对理解当前企业端点安全的脆弱性至关重要。对于安全从业者而言,深入分析此类BYOVD攻击手法有助于优化检测规则,提升对内核层异常行为的监控能力。

技术解析

  • PoisonX驱动与BYOVD攻击:攻击者使用了名为PoisonX的恶意内核驱动(g11.sys),该驱动成功获得了微软的数字签名。通过Bring Your Own Vulnerable Driver (BYOVD) 技术,攻击者在获得管理员权限后加载此驱动,利用其漏洞绕过Windows的安全机制,从而禁用杀毒软件或EDR产品。
  • 凭证窃取与初始访问:在部署勒索软件前,攻击者使用基于NirSoft的工具收集敏感数据,包括Web浏览器数据、Windows凭据管理器、缓存域凭据、VNC会话、电子邮件客户端、Wi-Fi配置及实时网络流量。初始访问向量尚不明确,但已知利用了AnyDesk进行远程控制。
  • 持久化与横向移动策略:攻击者利用PsExec进行内网横向移动,随后在每个可达主机上安装AnyDesk并将其注册为自动启动的Windows服务,以确保重启后的持久化控制。部分场景中,AnyDesk的安装由预置在系统盘上的PowerShell脚本自动化完成。
  • 勒索行为特征:GodDamn勒索软件在感染后重命名文件,通常使用受害者姓名作为扩展名,但在某些案例中使用“.God8Damn”。攻击者通过勒索信指示受害者通过电子邮件或qTox加密消息应用进行沟通,体现了其运营的专业化和隐蔽性。

行业启示

  • 签名驱动信任机制面临挑战:攻击者能够获取微软签名的恶意驱动,表明现有的代码签名验证机制在应对高级持续性威胁时存在局限。企业需加强对内核驱动加载行为的实时监控,而不仅仅依赖签名有效性。
  • BYOVD成为主流攻击路径:利用合法但存在漏洞的驱动程序进行防御规避已成为勒索软件团伙的标准操作程序。安全团队应重点关注内核层的异常活动,如非预期驱动的加载或对安全进程的系统级干预。
  • 远程管理工具的滥用风险:AnyDesk等合法远程管理工具被广泛用于攻击者的横向移动和持久化。组织应严格管控此类工具的使用权限,实施应用白名单策略,并监测异常的配置更改和服务注册行为。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全