Cybercriminals are exploiting customized and compromised drivers to disable endpoint detection and response (EDR) techniques, facilitating undetected malicious exercise. Elastic Safety Labs (ESL) has recognized a financially motivated marketing campaign deploying MEDUSA ransomware, using a loader paired with a revoked certificate-signed driver named AbyssWorker. This driver, originating from a Chinese language vendor, is designed to neutralize EDR options.
As per ESL’s investigation, shared with Hackread.com, this tactic blinds safety instruments and permits malicious actors to function freely, growing the success charge of their assaults.
The AbyssWorker driver, originating from a Chinese language vendor, is a key part in a marketing campaign that installs itself on sufferer machines and systematically targets and silences varied EDR options.
“This EDR-killer driver was not too long ago reported by ConnectWise in one other marketing campaign, utilizing a unique certificates and IO management codes, at which era a few of its capabilities have been mentioned. In 2022, Google Cloud Mandiant disclosed a malicious driver referred to as POORTRY, which we imagine is the earliest point out of this driver,” researchers famous within the blog post.
The precise filename of the malicious driver is recognized as smuol.sys (a 64-bit Home windows PE driver). It cleverly mimics a respectable CrowdStrike Falcon driver, most likely to mix into respectable system processes. ESL recognized a number of samples on VirusTotal relationship from August 2024 to February 2025, all signed with revoked certificates from varied Chinese language corporations, together with Foshan Gaoming Kedeyu Insulation Supplies Co., Ltd and FEI XIAO, amongst others. These certificates, whereas extensively used throughout varied malware campaigns, should not particular to AbyssWorker.
Upon initialization, AbyssWorker establishes a tool and symbolic hyperlink, registering callbacks for main capabilities. A vital defence evasion mechanism entails stripping present handles to its consumer course of from different processes, stopping exterior manipulation. It additionally registers callbacks to disclaim entry to handles of protected processes and threads.
The driving force’s core performance resides in its DeviceIoControl handlers, which execute a variety of operations based mostly on I/O management codes. These operations embrace file manipulation, course of and driver termination, and API loading. A password is required to allow the motive force’s malicious capabilities. For file operations, AbyssWorker makes use of I/O Request Packets (IRPs), bypassing customary APIs.
AbyssWorker can take away notification callbacks, substitute driver main capabilities, detach mini-filter gadgets, terminate processes and threads, and restore hooked NTFS and PNP driver capabilities. Notably, it might probably set off a system reboot utilizing the undocumented HalReturnToFirmware operate. These capabilities immediately help MEDUSA ransomware’s skill to function with out safety interference.
A key obfuscation approach AbyssWorker employs is looking “constant-returning capabilities” all through the binary to complicate static evaluation. Nonetheless, Elastic deemed it inefficient, as they’re simple to determine and declared it “an inefficient obfuscation scheme.”
However, AbyssWorker represents a big risk, demonstrating the growing sophistication of kernel-level malware designed to disable safety infrastructure. ESL has offered a consumer implementation instance, providing researchers a way to additional discover and experiment with this malware. To additional help in detection, Elastic Safety has launched YARA guidelines, accessible on their GitHub repository, enabling safety professionals to determine situations of AbyssWorker inside their environments.
Thomas Richards, Principal Guide, Community and Purple Staff Follow Director at Black Duck, a Burlington, Massachusetts-based supplier of software safety options, commented on the newest improvement, stating,
“The Medusa malware resides as much as its title, discovering new methods to contaminate hosts even after one technique has been blocked. Utilizing a batch file to disable system companies is a short-term ploy as it may be detected and blocked. Safety groups must be on alert for any techniques which have a time change and evaluation end-user permissions to forestall the person from stopping the time service.“
Prime/Featured Picture by WaveGenerics from Pixabay
