The menace actors behind the Medusa ransomware-as-a-service (RaaS) operation have been noticed utilizing a malicious driver dubbed ABYSSWORKER as a part of a convey your individual weak driver (BYOVD) assault designed to disable anti-malware instruments.
Elastic Safety Labs mentioned it noticed a Medusa ransomware assault that delivered the encryptor by way of a loader packed utilizing a packer-as-a-service (PaaS) known as HeartCrypt.
“This loader was deployed alongside a revoked certificate-signed driver from a Chinese language vendor we named ABYSSWORKER, which it installs on the sufferer machine after which makes use of to focus on and silence totally different EDR distributors,” the corporate mentioned in a report.
The motive force in query, “smuol.sys,” mimics a authentic CrowdStrike Falcon driver (“CSAgent.sys”). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform courting from August 8, 2024, to February 25, 2025. All of the recognized samples are signed utilizing possible stolen, revoked certificates from Chinese language corporations.
The truth that the malware can be signed offers it a veneer of belief and permits it to bypass safety programs with out attracting any consideration. It is price noting that the endpoint detection and response (EDR)-killing driver was beforehand documented by ConnectWise in January 2025 underneath the title “nbwdv.sys.”
As soon as initialized and launched, ABYSSWORKER is designed so as to add the method ID to a listing of worldwide protected processes and pay attention for incoming system I/O management requests, that are then dispatched to applicable handlers primarily based on I/O management code.
“These handlers cowl a variety of operations, from file manipulation to course of and driver termination, offering a complete toolset that can be utilized to terminate or completely disable EDR programs,” Elastic mentioned.
The record of a number of the I/O management codes is under –
- 0x222080 – Allow the motive force by sending a password “7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X”
- 0x2220c0 – Load vital kernel APIs
- 0x222184 – Copy file
- 0x222180 – Delete file
- 0x222408 – Kill system threads by module title
- 0x222400 – Take away notification callbacks by module title
- 0x2220c0 – Load API
- 0x222144 – Terminate course of by their course of ID
- 0x222140 – Terminate thread by their thread ID
- 0x222084 – Disable malware
- 0x222664 – Reboot the machine
Of explicit curiosity is 0x222400, which can be utilized to blind safety merchandise by looking and eradicating all registered notification callbacks, an strategy additionally adopted by different EDR-killing instruments like EDRSandBlast and RealBlindingEDR.
The findings observe a report from Venak Safety about how menace actors are exploiting a legitimate-but-vulnerable kernel driver related to Verify Level’s ZoneAlarm antivirus software program as a part of a BYOVD assault designed to realize elevated privilege and disable Home windows security measures like Reminiscence Integrity.
The privileged entry was then abused by the menace actors to ascertain a Distant Desktop Protocol (RDP) connection to the contaminated programs, facilitating persistent entry. The loophole has since been plugged by Verify Level.
“As vsdatant.sys operates with high-level kernel privileges, attackers have been in a position to exploit its vulnerabilities, bypassing safety protections and antivirus software program, and gaining full management of the contaminated machines,” the corporate mentioned.
“As soon as these defenses have been bypassed, attackers had full entry to the underlying system, the attackers have been in a position to entry delicate info similar to consumer passwords and different saved credentials. This information was then exfiltrated, opening the door for additional exploitation.”
The event comes because the RansomHub (aka Greenbottle and Cyclops) ransomware operation has been attributed to the usage of a beforehand undocumented multi-function backdoor codenamed Betruger by not less than considered one of its associates.
The implant comes with options sometimes related to malware deployed as a precursor to ransomware, similar to screenshotting, keylogging, community scanning, privilege escalation, credential dumping, and information exfiltration to a distant server.
“The performance of Betruger signifies that it could have been developed with the intention to reduce the variety of new instruments dropped on a focused community whereas a ransomware assault is being ready,” Broadcom-owned Symantec mentioned, describing it as one thing of a departure from different customized instruments developed by ransomware teams for information exfiltration.
“Using customized malware aside from encrypting payloads is comparatively uncommon in ransomware assaults. Most attackers depend on authentic instruments, dwelling off the land, and publicly out there malware similar to Mimikatz and Cobalt Strike.”
