The threat actors behind Medusa Ransomware Asai Assen Service (RAAS) operations have been observed using a malicious driver called Abyssworker as part of Bring’s own Vulnerable Driver (BYOVD) attack, designed to disable anti-malware tools.
Elastic Security Labs said it had observed a Medusa ransomware attack that provides cryptocurrencies using a loader packed using a Packer-as-a-Service (PAAS) called HeartCrypt.
“The loader was deployed along with a driver signed with a certificate revoked from a Chinese vendor named Abyssworker, which we will install on the victim machine and use to target and silence various EDR vendors,” the company said in its report.
The driver in question, “Smuol.sys” mimics the falcon driver (“csagent.sys”) of legitimate crowd interruption. Dozens of Abyselker artifacts were detected on the Wilstotal platform from August 8, 2024 to February 25, 2025. All identified samples were signed using stolen and revoked certificates from Chinese companies.
The fact that it is signed to malware gives you a veneer of trust, allowing you to bypass your security system without attracting attention. It is worth noting that the Endpoint Detection and Response (EDR) Killing Driver was previously documented in January 2025 by ConnectWise under the name “NBWDV.SYS”.
Upon initialization and launching, AbysSworker is designed to add the process ID to the list of global protection processes, listen for incoming device I/O control requests, and is sent to the appropriate handler based on the I/O control code.
“These handlers cover a wide range of operations, from file manipulation to process and driver termination, providing a comprehensive set of tools that can be used to terminate or permanently disable the EDR system,” Elastic said.
A partial list of I/O control codes can be found below –
0x222080 – enable driver by sending password “7n6bcaoecbitsur5 -h4rp2nkqxybfkb0f -wgbjghgh20pwuun1 -zxfxdioyps6htp0x” 0x2220c0 -Required kernel Apis 0x2222184 -Copy 0x22180 -ded ded 0x2222408 – Kill system thread with module name 0x222400 – Remove notification callback with module name 0x2220C0 – Load API – Process ID 0x2222140 – End process 0x222140 – Thread ID 0x222084 – Disabled malware 0x2264 – Machine
Of particular interest is 0x222400. This can be used to blind security products by searching and deleting all registered notification callbacks. This is an approach that has also been adopted by other EDR kill input tools such as EDRSandblast and RealBlindingEdr.
The findings follow a report on how threat actors are threatening legal but interferable kernel drivers related to Check Point’s ZoneAlarm Antivirus software.
Privileged access was then abused by threat access, establishing Remote Desktop Protocol (RDP) connections to infected systems, encouraging persistent access. The loophole is then inserted through a checkpoint.
“VSDATANT.SYS operates with high levels of kernel privileges, allowing attackers to take advantage of the vulnerability, bypassing security protections and antivirus software, and gain full control of the infected machine,” the company said.
“When these defenses were bypassed, the attacker had full access to the underlying system, and the attacker had access to sensitive information, such as the user’s passwords and other stored credentials. This data was expanded and opened the door for further exploitation.”
This development is due to the use of ransom hub (aka green bottle and cyclops) ransomware operations due to the use of codename betruger, codenamed multifunctional backnames that have not been previously documented by at least one affiliate.
Implants come with features that are normally associated with malware deployed as precursors of ransomware, such as screenshots, keylogs, network scans, privilege escalations, qualification investments, and data exfiltration to remote servers.
“The Betruger feature indicates that it may have been developed to minimize the number of new tools dropped on the target network while a ransomware attack was being prepared,” said Symantec, owned by Broadcom, as a sort of deviation from other custom tools developed for data delamination from other custom tools developed by the Ransomware Group.
“Using custom malware other than encrypting payloads is relatively uncommon in ransomware attacks. Most attackers rely on legal tools, living off the land and rely on public malware such as Mimikatz and Cobalt Strike.”
Source link
