Full Report
The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS
Analysis Summary
# Tool/Technique: ABYSSWORKER
## Overview
ABYSSWORKER is a malicious, revoked certificate-signed kernel driver observed being used by the Medusa ransomware-as-a-service (RaaS) operation in Bring Your Own Vulnerable Driver (BYOVD) attacks. Its primary purpose is to disable security products, particularly Endpoint Detection and Response (EDR) solutions, on victim machines to facilitate the deployment of the Medusa encryptor.
## Technical Details
- Type: Malware (Malicious Driver)
- Platform: Windows
- Capabilities: Disabling EDR/Anti-malware, process/thread termination, file manipulation, kernel API loading, establishing persistence via protected processes.
- First Seen: Artifacts detected dating from August 8, 2024, to February 25, 2025.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1219 - Drive-by Compromise (Relevant due to driver exploitation/installation)
- T1055 - Process Injection (Implied, as it interacts with kernel structures)
- TA0004 - Privilege Escalation
- T1222 - Exploitation for Privilege Escalation (Leverages vulnerable driver mechanism)
- TA0011 - Command and Control (May be used to maintain persistence after disabling defenses)
## Functionality
### Core Capabilities
- **EDR Disablement:** Designed specifically to target and terminate various EDR vendor processes and services.
- **Kernel Persistence:** Installs itself as a driver (mimicking `CSAgent.sys` but named `smuol.sys` in one instance) and adds its process ID to a list of global protected processes.
- **I/O Control Handling:** Listens for incoming device I/O control requests dispatched to specific handlers based on I/O control codes.
### Advanced Features
- **Security Blinding via Callback Removal:** Utilizes I/O control code `0x222400` to search and remove all registered notification callbacks, effectively blinding security products.
- **Kernel API Loading:** Can load necessary kernel APIs (`0x222080`, `0x2220c0`), suggesting dynamic functionality loading capabilities.
- **Termination Capability:** Can terminate processes by Process ID (`0x222144`) or terminate threads by Thread ID (`0x222140`), and kill system threads by module name (`0x222408`).
- **Code Signing Bypasses Trust:** Signed using stolen/revoked certificates from Chinese vendors, granting it initial trust to bypass certain security checks.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: `smuol.sys` (One variant observed, mimicking `CSAgent.sys`). Another observed name for a similar driver was `nbwdv.sys` (used by ConnectWise exploit).
- Registry Keys: [Not provided in context]
- Network Indicators: [Not provided in context]
- Behavioral Indicators: Installing unsigned/revoked driver, interacting with device I/O control points, rapid disabling of security software callbacks/processes.
## Associated Threat Actors
- Medusa Ransomware RaaS operators.
## Detection Methods
- Signature-based detection: Based on known file hashes or specific driver filenames (`smuol.sys`).
- Behavioral detection: Monitoring for driver installation using revoked certificates, I/O control requests targeting security mechanisms (especially callback removal), and immediate attempts to disable EDR processes after successful load.
- YARA rules: Can be developed based on the unique function strings or internal structures related to the specified I/O control codes.
## Mitigation Strategies
- **Driver Signature Enforcement:** Ensure strict enforcement of Windows Driver Signature Enforcement (HVCI) policies.
- **Vulnerability Management:** Keep security software, especially EDR agents, patched to prevent the exploitation of vulnerable drivers used in an assumed BYOVD attack chain.
- **Kernel Integrity Monitoring:** Monitor for system calls or I/O operations that attempt to manipulate kernel notification routines or process/thread structures from unauthorized drivers.
## Related Tools/Techniques
- EDRSandBlast (Uses similar technique of removing notification callbacks)
- RealBlindingEDR (Uses similar technique of removing notification callbacks)
- BYOVD Attacks (General technique leveraging vulnerable kernel drivers, like the Check Point ZoneAlarm driver `vsdatant.sys` exploit)
- HeartCrypt (PaaS packer used to hide the main loader)