Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

The Medusa Ransomware Menace: A BYOVD Attack that Outsmarts Anti-Malware and Leaves a Trail of Digital Devastation



In this latest development, ransomware experts are sounding the alarm about the growing threat landscape. A recent report by Elastic Security Labs reveals how Medusa Ransomware is using a malicious driver to disable anti-malware tools with stolen certificates. The attack mechanism is a clever blend of BYOVD and custom malware that leaves even the most well-equipped organizations on high alert. To stay ahead of these emerging threats, it's essential for businesses to up their cybersecurity game.

  • The Medusa ransomware operation is using a malicious driver called ABYSSWORKER to disable anti-malware tools.
  • The attack mechanism involves delivering the encryptor via a loader packed with PaaS HeartCrypt, and revoking certificates signed by Chinese vendors.
  • The use of stolen certificates allows the malware to bypass security systems without attracting attention.
  • ABYSSWORKER adds process IDs to protected processes, listens for I/O control requests, and dispatches them to appropriate handlers.
  • The attackers can remove notification callbacks by module name, blinding security products.



    • Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates


    In the realm of cybersecurity, few threats evoke as much fear and dread as ransomware. The Medusa ransomware operation is one such threat that has been making headlines in recent weeks, and its latest exploits have left experts reeling. According to a report from Elastic Security Labs, the threat actors behind this particular RaaS operation have been using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools.

    This sophisticated attack mechanism involves delivering the encryptor via a loader packed using a packer-as-a-service (PaaS) called HeartCrypt. The loader is then deployed alongside a revoked certificate-signed driver from a Chinese vendor, which is installed on the victim machine and subsequently used to target and silence different EDR vendors. This particular driver, named "smuol.sys," mimics a legitimate CrowdStrike Falcon driver ("CSAgent.sys") and has been detected on the VirusTotal platform dating back to August 8, 2024.

    The use of stolen certificates in this attack is particularly noteworthy, as it allows the malware to bypass security systems without attracting any attention. The fact that the malware is signed gives it a veneer of trust, making it all the more difficult for security software to detect. This clever tactic has already been employed by threat actors in the past, with devastating consequences.

    Once initialized and launched, ABYSSWORKER is designed to add the process ID to a list of global protected processes and listen for incoming device I/O control requests. These requests are then dispatched to appropriate handlers based on I/O control code. The list of some of these codes includes 0x222080 - Enable the driver by sending a password "7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X," 0x2220c0 - Load necessary kernel APIs, and 0x222184 - Copy file. These codes cover a wide range of operations, from file manipulation to process termination.

    What is particularly interesting about this attack mechanism is the use of 0x222400 - Remove notification callbacks by module name. This particular code can be used to blind security products by searching and removing all registered notification callbacks, an approach also adopted by other EDR-killing tools like EDRSandBlast and RealBlindingEDR.

    The findings from Elastic Security Labs follow a report from Venak Security about how threat actors are exploiting a legitimate-but-vulnerable kernel driver associated with Check Point's ZoneAlarm antivirus software as part of a BYOVD attack designed to gain elevated privilege and disable Windows security features like Memory Integrity. The privileged access was then abused by the threat actors to establish a Remote Desktop Protocol (RDP) connection to the infected systems, facilitating persistent access.

    The development comes as the RansomHub (aka Greenbottle and Cyclops) ransomware operation has been attributed to the use of a previously undocumented multi-function backdoor codenamed Betruger by at least one of its affiliates. The implant comes with features typically associated with malware deployed as a precursor to ransomware, such as screenshotting, keylogging, network scanning, privilege escalation, credential dumping, and data exfiltration to a remote server.

    In conclusion, the Medusa ransomware operation is a prime example of how threat actors are continuously evolving their tactics, techniques, and procedures (TTPs) to stay one step ahead of security software. The use of stolen certificates, BYOVD attacks, and sophisticated malware like ABYSSWORKER make for a formidable combination that leaves even the most well-equipped organizations on high alert.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-Medusa-Ransomware-Menace-A-BYOVD-Attack-that-Outsmarts-Anti-Malware-and-Leaves-a-Trail-of-Digital-Devastation-ehn.shtml

  • https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.html

  • https://undercodenews.com/medusa-ransomware-uses-malicious-abyssworker-driver-to-disable-security-tools/

  • https://cyberpress.org/500-million-proton-vpn-pass-accounts-exposed/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/


    • Published: Fri Mar 21 10:45:52 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us