Cybercriminals Leverage Custom Drivers to Evade Security Measures in MEDUSA Ransomware Campaign
Cybercriminals are increasingly employing custom and compromised drivers to circumvent endpoint detection and response (EDR) systems, thereby enabling undetected malicious activities. Elastic Security Labs (ESL) has uncovered a financially motivated campaign utilizing MEDUSA ransomware that deploys a loader in conjunction with a driver, AbyssWorker, which has a revoked certificate. This driver, created by a vendor based in China, is specifically engineered to neutralize various EDR solutions.
According to ESL’s findings, disclosed to Hackread.com, such tactics effectively blind security tools, allowing malicious actors to navigate their environment unimpeded and enhance their attack success rates. The AbyssWorker driver, a critical element of this malicious infrastructure, systematically targets and silences different EDR platforms installed on victim machines.
This EDR-disabling driver was noted in a recent report by ConnectWise, which highlighted its use in a separate campaign with different certificates and IO control codes. Research shared by Google Cloud Mandiant in 2022 mentioned a malicious driver known as POORTRY, suggesting it may be one of the earliest references to AbyssWorker functionalities. ESL’s detailed analysis indicates that the malicious driver operates under the filename smuol.sys, designed to mirror a legitimate CrowdStrike Falcon driver, thus blending seamlessly with standard system processes.
The substantial use of revoked certificates from various Chinese entities, including Foshan Gaoming Kedeyu Insulation Materials Co., Ltd., raises alarms about the proliferation of these certificates across numerous malware campaigns. During its operation, AbyssWorker creates a device and symbolic link while registering function callbacks to enhance its defensive evasion capabilities. Notably, it strips existing handles to prevent external manipulation, which inhibits other processes from interfering.
The mechanics of AbyssWorker revolve around its DeviceIoControl handlers, allowing it to perform numerous operations through I/O control codes. Its nefarious activities range from file manipulation to process termination and API loading, all requiring password authentication to activate its malicious capabilities. By employing I/O Request Packets (IRPs), AbyssWorker can execute file operations while bypassing conventional APIs, further complicating detection efforts.
AbyssWorker is capable of removing notifications, replacing driver functionalities, detaching mini-filter devices, and shutting down processes and threads. Particularly alarming is its ability to initiate a system reboot using the undocumented HalReturnToFirmware function, thereby supporting the MEDUSA ransomware’s capacity to function without being thwarted by security mechanisms.
An obfuscation technique employed by AbyssWorker involves the utilization of "constant-returning functions" that are spread throughout its binary code, making static analysis more challenging. However, ESL has classified this method as inefficient, stating that these techniques can be easily recognized and thus do not significantly enhance its concealment.
In summary, the AbyssWorker driver exemplifies a growing sophistication in kernel-level malware designed to dismantle security infrastructure. To assist in the detection and analysis of this driver, ESL has provided a client implementation for further investigation and has released YARA rules on their GitHub repository to help security teams identify instances of AbyssWorker in their systems.
As stated by Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, the challenges presented by the MEDUSA malware underscore the evolving landscape of cyber threats. He emphasized the need for vigilance among security teams, particularly in monitoring for unusual system behaviors, such as changes in time settings.
Entities targeted by this sophisticated scheme include organizations unaware of the malware’s presence, predominantly found in sectors that rely heavily on cybersecurity measures. As these attacks evolve, stakeholders in cybersecurity must consider tactics outlined in the MITRE ATT&CK framework, particularly those aligned with initial access, persistence, and privilege escalation strategies employed by modern adversaries.
