Cybercriminals advance with MEDUSA ransomware campaign

Elastic Security Labs has identified a campaign deploying MEDUSA ransomware through a driver known as ABYSSWORKER, used to disable security systems on victim machines.

The ABYSSWORKER driver is part of an observed financially motivated campaign, leveraging a HEARTCRYPT-packed loader. This loader works in conjunction with a revoked certificate-signed driver from a Chinese vendor, named ABYSSWORKER, which once installed, targets and bypasses various endpoint detection and response (EDR) vendors. ConnectWise previously reported this EDR-killer driver in a different campaign with varying certificate and input/output control codes.

Elastic Security Labs has confirmed the association of this malware with a specific ransomware group, though it notes that similar tools are likely in use by several other groups. A significant aspect of this malware is its ability to appear as a trusted file to many security systems due to a signing process that may rely on stolen signing material from legitimate sources.

Elastic Security Labs explains: "The binary is a 64-bit Windows PE driver named smuol.sys, and imitates a legitimate CrowdStrike Falcon driver." Analysis indicates presence on VirusTotal from 2024-08-08 to 2025-02-24, with various samples utilising likely stolen, revoked certificates from notable Chinese entities, facilitating their deceptive entry past security measures.

The driver functions by configuring various kernel modules and executing a client protection feature upon initialization. Specifically, it creates a device and symbolic link, setting parameters to register key function callbacks.

"Cybercriminals are increasingly bringing their own drivers — either exploiting a vulnerable legitimate driver or using a custom-built driver to disable endpoint detection and response (EDR) systems and evade detection or prevention capabilities," stated Elastic Security Labs.

Upon the driver device's opening, it enacts a major callback adding the process ID of the client to a protection list and concurrently strips access handles from other processes. This procedure is achieved by iterating over process IDs and checking handles through brute force methods.

The driver employs numerous handlers to execute commands such as file manipulation, process termination, and system rebooting. Among these, the DeviceIoControl handlers are particularly comprehensive in disabling EDR systems' processes and threads, detailed by ABYSSWORKER's capability to bypass IoCallDriver by manually sending IRPs.

The technical analysis further outlines the methods used for file manipulation, employing IRP creation over common APIs, and showcases the driver's range of functionality, from enabling malware to altering file attributes to evade deletion safeguards.

"Enabling the malware (0x222080) requires the client to input a password...this flag is checked in all other handlers to permit or deny execution," the press release clarifies.

ABYSSWORKER extends to removing notification callbacks that render EDR systems blind to activities it facilitates. By interfering with registration through APIs like PsSetCreateProcessNotifyRoutine, it efficiently removes traces that would trigger security responses.

Although the press release does not cover every facet of ABYSSWORKER's operations, it provides an opportunity for further study into the malware's mechanisms through references to in-depth resources like EDRSandblast and RealBlindingEDR projects.

The findings by Elastic Security Labs, detailed in their latest release, underscore ongoing advancements in ransomware deployment tactics, highlighting a concerning escalation in cybercriminals' methods to circumvent established security protocols. The use of complex techniques to install malicious drivers such as ABYSSWORKER signifies a critical need for enhanced defence mechanisms in digital security strategies.