Medusa Ransomware Disables Anti-malware Tools With Stolen Certificates

Cybercriminals are exploiting civilization and compromised drivers to disable endpoint discovery and consequence (EDR) systems, facilitating undetected malicious activity. Elastic Security Labs (ESL) has identified a financially motivated run deploying MEDUSA ransomware, utilizing a loader paired pinch a revoked certificate-signed driver named AbyssWorker. This driver, originating from a Chinese vendor, is designed to neutralize EDR solutions.

As per ESL’s investigation, shared pinch Hackread.com, this maneuver blinds information devices and allows malicious actors to run freely, expanding nan occurrence complaint of their attacks.

The AbyssWorker driver, originating from a Chinese vendor, is simply a cardinal constituent successful a run that installs itself connected unfortunate machines and systematically targets and silences various EDR solutions.

“This EDR-killer driver was precocious reported by ConnectWise successful different campaign, utilizing a different certificate and IO power codes, astatine which clip immoderate of its capabilities were discussed. In 2022, Google Cloud Mandiant disclosed a malicious driver called POORTRY, which we judge is nan earliest mention of this driver,” researchers noted successful the blog post.

The existent filename of nan malicious driver is identified arsenic smuol.sys (a 64-bit Windows PE driver). It cleverly mimics a morganatic CrowdStrike Falcon driver, astir apt to blend into morganatic strategy processes. ESL identified aggregate samples connected VirusTotal making love from August 2024 to February 2025, each signed pinch revoked certificates from various Chinese companies, including Foshan Gaoming Kedeyu Insulation Materials Co., Ltd and FEI XIAO, among others. These certificates, while wide utilized crossed various malware campaigns, are not circumstantial to AbyssWorker.

Upon initialization, AbyssWorker establishes a instrumentality and symbolic link, registering callbacks for awesome functions. A captious defence evasion system involves stripping existing handles to its customer process from different processes, preventing outer manipulation. It besides registers callbacks to contradict entree to handles of protected processes and threads.

The driver’s halfway functionality resides successful its DeviceIoControl handlers, which execute a scope of operations based connected I/O power codes. These operations see record manipulation, process and driver termination, and API loading. A password is required to alteration nan driver’s malicious capabilities. For record operations, AbyssWorker uses I/O Request Packets (IRPs), bypassing modular APIs.

AbyssWorker tin region notification callbacks, switch driver awesome functions, detach mini-filter devices, terminate processes and threads, and reconstruct hooked NTFS and PNP driver functions. Notably, it tin trigger a strategy reboot utilizing nan undocumented HalReturnToFirmware function. These capabilities straight support MEDUSA ransomware’s expertise to run without information interference.

A cardinal obfuscation method AbyssWorker employs is calling “constant-returning functions” passim nan binary to complicate fixed analysis. However, Elastic deemed it inefficient, arsenic they are easy to place and declared it “an inefficient obfuscation scheme.”

Nevertheless, AbyssWorker represents a important threat, demonstrating nan expanding sophistication of kernel-level malware designed to disable information infrastructure. ESL has provided a customer implementation example, offering researchers a intends to further research and research pinch this malware. To further assistance successful detection, Elastic Security has released YARA rules, disposable connected their GitHub repository, enabling information professionals to place instances of AbyssWorker wrong their environments.

Thomas Richards, Principal Consultant, Network and Red Team Practice Director astatine Black Duck, a Burlington, Massachusetts-based supplier of exertion information solutions, commented connected nan latest development, stating,

“The Medusa malware is surviving up to its name, uncovering caller ways to infect hosts moreover aft 1 method has been blocked. Using a batch record to disable strategy services is simply a short-term ploy arsenic it tin beryllium detected and blocked. Security teams should beryllium connected alert for immoderate systems that person a clip alteration and reappraisal end-user permissions to forestall nan personification from stopping nan clip service.“

Top/Featured Image by WaveGenerics from Pixabay