MEDUSA ransomware operation has been observed leveraging a sophisticated malicious driver called ABYSSWORKER to disable endpoint detection and response (EDR) systems.
This dangerous capability allows the ransomware to operate undetected, significantly increasing the threat to organizations’ security infrastructure.
The ABYSSWORKER driver is deployed alongside a HEARTCRYPT-packed loader as part of the MEDUSA ransomware attack chain.
.png
)
Elastic Security Labs analysts noted that this driver is specifically designed to target and silence different EDR vendors, effectively removing a critical layer of defense against ransomware attacks.
One particularly troubling aspect of the ABYSSWORKER driver is that it’s signed using revoked certificates from Chinese vendors, which helps it bypass security controls that verify driver signatures.
These certificates include fingerprints from companies such as “Foshan Gaoming Kedeyu Insulation Materials Co., Ltd” and “Fuzhou Dingxin Trade Co., Ltd,” among others.
The malware masquerades as a legitimate CrowdStrike Falcon driver, using company names, file descriptions, and other metadata to appear authentic.
According to the analysis, the driver’s PE header shows properties like “CrowdStrike, Inc.” as the company name and “CrowdStrike Falcon Sensor Driver” as the file description, creating a convincing disguise.
When deployed, ABYSSWORKER establishes a device object and symbolic link for communication with its client process.
The driver creates a device named “\device\czx9umpTReqbookF” and a symbolic link “\??\fqg0Et4KlNt4s1JT” as shown in the code below:
RtlInitUnicodeString(&device_name, L"\\device\\czx9umpTReqbookF");
_result = IoCreateDevice(p_driver_object, 0, &device_name, FILE_DEVICE_UNKNOWN, 0x100u, 0, &p_device);
RtlInitUnicodeString(&sym_link, L"\\??\\fqg0Et4KlNt4s1JT");
__result = IoCreateSymbolicLink(&sym_link, &device_name);Technical Capabilities
The ABYSSWORKER driver uses a sophisticated client protection mechanism that adds the client process ID to a protection list and strips access rights from any existing handles to the client process.
.webp)
Here the Client Protection Mechanism demonstrates how the driver prevents other processes from accessing or terminating the malware client.
To communicate with its client, the driver implements various DeviceIoControl handlers with specific IO control codes.
For example, code 0x222080 enables the malware after verifying a hardcoded password, while 0x222400 removes callbacks and devices by module name.
Other capabilities include copying files (0x222184), terminating processes (0x222144), and even rebooting the machine (0x222664).
Perhaps most concerning, the driver can eliminate EDR protections by removing notification callbacks used by security products and replacing driver major functions with dummy implementations.
It can also kill system threads belonging to security software and detach MiniFilter devices that might be monitoring file system activity.
Elastic Security Labs has released YARA rules for detecting this threat, providing organizations with a means to identify this dangerous component of the MEDUSA ransomware toolkit.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
