Medusa Ransomware Unleashes Malicious Windows Driver ABYSSWORKER to Disable Security Tools
The Medusa ransomware campaign has been making headlines lately, and recent research by Elastic Security Labs reveals a shocking twist: the attackers are using a malicious Windows driver named ABYSSWORKER to disable security tools. This development makes detection and mitigation more challenging for security experts.
A Deadly Combo: HEARTCRYPT-packed Loader and Revoked Certificate-Signed Driver
The Medusa ransomware group has been using a combination of tactics, including a 64-bit Windows PE driver named smuol.sys, disguised as a CrowdStrike Falcon driver. This driver is protected by VMProtect and signed with a revoked Chinese certificate, making it difficult to detect and analyze. Elastic researchers found dozens of samples from August 2024 to February 2025, likely signed with stolen certificates.
The ABYSSWORKER Driver: A Game-Changer in Malware Evasion
The ABYSSWORKER driver is a sophisticated piece of malware that uses constant return values, opaque predicates, and derivation functions to evade static analysis. However, experts have found that only three such functions exist, and they are not used in predicates. This means that the obfuscation attempt is ineffective and easily identifiable.
The driver loads kernel module pointers and sets up a client protection feature upon initialization. It then creates a device and symbolic link before registering callbacks for its major functions. When the driver device is opened, it adds the process ID to a protection list and removes existing handles to the target process. The driver also retrieves the client's process ID from the kernel thread and strips access rights from other processes using brute-force PID iteration.
The ABYSSWORKER driver processes device I/O control requests by dispatching them to handlers based on the control code. These handlers enable file manipulation, process termination, and driver removal, allowing the malware to disable EDR systems effectively.
A New Level of Obfuscation: Using IRPs to Manipulate Files
The ABYSSWORKER driver relies on a strategy that is not new but remains interesting. Instead of using a common API like NtCreateFile, it creates an I/O Request Packet (IRP) from scratch and sends it directly to the corresponding drive device containing the target file. This allows the malware to copy or delete files without relying on traditional APIs.
A Step Forward in Detection: Elastic's Client Implementation Example
Elastic has created a client implementation example that allows loading the driver's APIs, providing researchers with a valuable tool for analysis and detection. The team has also developed YARA rules to identify the threat, making it easier for security experts to stay ahead of this evolving malware campaign.
Stay Ahead of the Threat: Follow Us on Twitter, Facebook, and Mastodon
Stay informed about the latest developments in cybersecurity by following us on Twitter (@securityaffairs), Facebook, and Mastodon. Let's work together to combat the spread of ransomware and other cyber threats.