The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools.
Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt.
“This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named ABYSSWORKER, which it installs on the victim machine and then uses to target and silence different EDR vendors,” the company said in a report.
The driver in question, “smuol.sys,” mimics a legitimate CrowdStrike Falcon driver (“CSAgent.sys”). Dozens of ABYSSWORKER artifacts have been detected on the VirusTotal platform dating from August 8, 2024, to February 25, 2025. All the identified samples are signed using likely stolen, revoked certificates from Chinese companies.
The fact that the malware is also signed gives it a veneer of trust and allows it to bypass security systems without attracting any attention. It’s worth noting that the endpoint detection and response (EDR)-killing driver was previously documented by ConnectWise in January 2025 under the name “nbwdv.sys.”
Once initialized and launched, ABYSSWORKER is designed to add the process ID to a list of global protected processes and listen for incoming device I/O control requests, which are then dispatched to appropriate handlers based on I/O control code.
“These handlers cover a wide range of operations, from file manipulation to process and driver termination, providing a comprehensive toolset that can be used to terminate or permanently disable EDR systems,” Elastic said.
The list of some of the I/O control codes is below –
- 0x222080 – Enable the driver by sending a password “7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X”
- 0x2220c0 – Load necessary kernel APIs
- 0x222184 – Copy file
- 0x222180 – Delete file
- 0x222408 – Kill system threads by module name
- 0x222400 – Remove notification callbacks by module name
- 0x2220c0 – Load API
- 0x222144 – Terminate process by their process ID
- 0x222140 – Terminate thread by their thread ID
- 0x222084 – Disable malware
- 0x222664 – Reboot the machine
Of particular interest is 0x222400, which can be used to blind security products by searching and removing all registered notification callbacks, an approach also adopted by other EDR-killing tools like EDRSandBlast and RealBlindingEDR.
The findings follow a report from Venak Security about how threat actors are exploiting a legitimate-but-vulnerable kernel driver associated with Check Point’s ZoneAlarm antivirus software as part of a BYOVD attack designed to gain elevated privileges and disable Windows security features like Memory Integrity.
The privileged access was then abused by the threat actors to establish a Remote Desktop Protocol (RDP) connection to the infected systems, facilitating persistent access. The loophole has since been plugged by Check Point.
“As vsdatant.sys operates with high-level kernel privileges, attackers were able to exploit its vulnerabilities, bypassing security protections and antivirus software, and gaining full control of the infected machines,” the company said.
“Once these defenses were bypassed, attackers had full access to the underlying system, the attackers were able to access sensitive information such as user passwords and other stored credentials. This data was then exfiltrated, opening the door for further exploitation.”
The development comes as the RansomHub (aka Greenbottle and Cyclops) ransomware operation has been attributed to the use of a previously undocumented multi-function backdoor codenamed Betruger by at least one of its affiliates.
The implant comes with features typically associated with malware deployed as a precursor to ransomware, such as screenshotting, keylogging, network scanning, privilege escalation, credential dumping, and data exfiltration to a remote server.
“The functionality of Betruger indicates that it may have been developed in order to minimize the number of new tools dropped on a targeted network while a ransomware attack is being prepared,” Broadcom-owned Symantec said, describing it as something of a departure from other custom tools developed by ransomware groups for data exfiltration.
“The use of custom malware other than encrypting payloads is relatively unusual in ransomware attacks. Most attackers rely on legitimate tools, living off the land, and publicly available malware such as Mimikatz and Cobalt Strike.”
