Ethical Hacking News
Medusa ransomware has been making headlines in recent times, thanks to its sophisticated tactics and ability to evade detection. But what sets this malware apart from others is its reliance on a malicious Windows driver called ABYSSWORKER.
The Medusa ransomware campaign uses a malicious Windows driver called ABYSSWORKER to evade detection and disable security tools. ABYSSWORKER is a key component of the Medusa ransomware, offering impressive functionality while being concerning for cybersecurity professionals. The driver creates a device and symbolic link, registers callbacks for major functions, and processes I/O control requests to enable file manipulation and process termination. ABYSSWORKER uses opaque predicates and derivation functions to obstruct static analysis, making it easier to identify obfuscation techniques. The use of revoked certificates by attackers has become increasingly common in recent years, allowing them to avoid detection by traditional security software.
Medusa ransomware has been making headlines in recent times, thanks to its sophisticated tactics and ability to evade detection. But what sets this malware apart from others is its reliance on a malicious Windows driver called ABYSSWORKER. In this article, we will delve into the world of Medusa ransomware and explore how it uses ABYSSWORKER to disable security tools, making it a formidable foe for cybersecurity professionals.
The Medusa ransomware campaign was first tracked by Elastic Security Labs in 2024, which used a HEARTCRYPT-packed loader and a revoked certificate-signed driver, ABYSSWORKER, to disable EDR (Endpoint Detection and Response) tools. The attackers also used a 64-bit Windows PE driver named smuol.sys, disguised as a CrowdStrike Falcon driver, which is VMProtect-protected and signed with a revoked Chinese certificate.
According to Elastic researchers, the samples from August 2024 to February 2025 were likely signed with stolen certificates. The use of revoked certificates by attackers has become increasingly common in recent years, as it allows them to avoid detection by traditional security software.
The ABYSSWORKER driver is a key component of the Medusa ransomware campaign, and its functionality is both impressive and concerning. When initialized, the driver loads kernel module pointers and sets up a client protection feature. It then creates a device and symbolic link before registering callbacks for its major functions.
When the driver device is opened, it adds the process ID to a protection list and removes existing handles to the target process. It retrieves the client's process ID from the kernel thread and strips access rights from other processes using brute-force PID iteration. The driver then registers callbacks to prevent unauthorized handle creation, ensuring protected processes remain inaccessible.
The ABYSSWORKER driver processes device I/O control requests by dispatching them to handlers based on the control code. These handlers enable file manipulation, process termination, and driver removal, allowing the malware to disable EDR systems effectively.
One of the most interesting aspects of the ABYSSWORKER driver is its use of opaque predicates and derivation functions to obstruct static analysis. According to Elastic researchers, only three such functions exist and are not used in predicates, which means that obfuscation is ineffective and easily identifiable.
In conclusion, the Medusa ransomware campaign and the ABYSSWORKER driver are a potent combination that makes cybersecurity professionals sit up and take notice. As attackers continue to evolve their tactics and techniques, it's essential for security teams to stay vigilant and keep pace with the latest threats.
Medusa ransomware has been making headlines in recent times, thanks to its sophisticated tactics and ability to evade detection. But what sets this malware apart from others is its reliance on a malicious Windows driver called ABYSSWORKER.
Related Information:
https://www.ethicalhackingnews.com/articles/Unraveling-the-Web-of-Deceit-The-Medusa-Ransomware-Campaign-and-the-Rise-of-Malicious-Windows-Drivers-ehn.shtml
https://securityaffairs.com/175790/security/medusa-ransomware-uses-abyssworker-driver.html
https://www.securityweek.com/medusa-ransomware-uses-malicious-driver-to-disable-security-tools/
https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.html
Published: Mon Mar 24 12:46:56 2025 by llama3.2 3B Q4_K_M
