Pierluigi Paganini
March 24, 2025
Elastic Security Labs tracked a financially driven MEDUSA ransomware campaign using a HEARTCRYPT-packed loader and a revoked certificate-signed driver, ABYSSWORKER, to disable EDR tools.
The attackers used a 64-bit Windows PE driver named smuol.sys, disguised as a CrowdStrike Falcon driver, which is VMProtect-protected and signed with a revoked Chinese certificate. Elastic researchers found dozens of samples from August 2024 to February 2025, likely signed with stolen certificates.
“All samples are signed using likely stolen, revoked certificates from Chinese companies. These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver.” reads the report published by Elastic.
ABYSSWORKER employs functions with constant return values, using opaque predicates and derivation functions to obstruct static analysis. The experts pointed out that only three such functions exist and are not used in predicates, the obfuscation is ineffective and easily identifiable.
Upon initialization, the driver loads kernel module pointers and sets up a client protection feature. It then creates a device and symbolic link before registering callbacks for its major functions.
When the driver device is opened, it adds the process ID to a protection list and removes existing handles to the target process. It retrieves the client’s process ID from the kernel thread and strips access rights from other processes using brute-force PID iteration. The driver then registers callbacks to prevent unauthorized handle creation, ensuring protected processes remain inaccessible.
The ABYSSWORKER driver processes device I/O control requests by dispatching them to handlers based on the control code. These handlers enable file manipulation, process termination, and driver removal, allowing the malware to disable EDR systems effectively.
“To copy or delete files, ABYSSWORKER relies on a strategy that, although not new, remains interesting. Instead of using a common API like NtCreateFile, an I/O Request Packet (IRP) is created from scratch and sent directly to the corresponding drive device containing the target file.” continues the report.
Elastic created a client implementation example that allows loading the driver’s APIs, it also created the YARA rules to detect the threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
