Medusa Ransomware Exploits Malicious Driver and Stolen Certificates to Disable Security Software

 

Threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed leveraging a malicious driver known as ABYSSWORKER in a "bring your own vulnerable driver" (BYOVD) attack aimed at disabling anti-malware defenses.

 

Researchers at Elastic Security Labs identified a Medusa ransomware attack where the encryptor was delivered via a loader packed using a packer-as-a-service (PaaS) called HeartCrypt.

According to their analysis, this loader was deployed alongside a driver signed with a revoked certificate from a Chinese vendor, named ABYSSWORKER. Once installed on the victim's system, it was used to disable endpoint detection and response (EDR) solutions.

The driver, identified as "smuol.sys," imitates a legitimate CrowdStrike Falcon driver ("CSAgent.sys"). Numerous ABYSSWORKER-related artifacts have been found on VirusTotal, with samples dating between August 8, 2024, and February 25, 2025. All identified variants appear to be signed with revoked or stolen certificates from Chinese firms.

The fact that this malware is signed gives it an appearance of legitimacy, allowing it to evade security mechanisms without raising suspicion. Notably, the endpoint detection and response (EDR)-disabling driver was previously reported by ConnectWise in January 2025 under the name "nbwdv.sys."

Once executed, ABYSSWORKER registers the process ID as a globally protected process and monitors incoming device I/O control requests. These requests are then processed by corresponding handlers based on specific I/O control codes.

Researchers at Elastic Security Labs highlighted that these handlers perform various functions, including file operations, process manipulation, and driver termination, enabling attackers to neutralize EDR systems effectively.

Below is a list of notable I/O control codes used by the driver:

• 0x222080 – Activates the driver with a password

• 0x2220c0 – Loads essential kernel APIs

• 0x222184 – Copies a file

• 0x222180 – Deletes a file

• 0x222408 – Terminates system threads by module name

• 0x222400 – Removes notification callbacks by module name

• 0x222144 – Kills processes using their process ID

• 0x222140 – Terminates threads using their thread ID

• 0x222084 – Disables malware

• 0x222664 – Reboots the system

A particularly concerning function is 0x222400, which allows attackers to blind security tools by locating and eliminating all registered notification callbacks. This technique is also seen in other EDR-disabling tools, such as EDRSandBlast and RealBlindingEDR.

These findings come after a report from Venak Security revealed that threat actors are exploiting a legitimate but vulnerable kernel driver linked to Check Point's ZoneAlarm antivirus software. This technique, part of a bring your own vulnerable driver (BYOVD) attack, is used to escalate privileges and disable Windows security features, including Memory Integrity.

Once they obtained elevated access, the attackers leveraged it to establish a Remote Desktop Protocol (RDP) connection to compromised systems, ensuring persistent access. Check Point has since patched this vulnerability.

Due to the high-level kernel privileges of the driver vsdatant.sys, attackers were able to exploit its weaknesses, bypass security defenses, and take full control of infected machines.

Once these security defenses were bypassed, attackers gained full access to the compromised system, allowing them to extract sensitive data such as user passwords and stored credentials. This stolen information was then exfiltrated, creating opportunities for further exploitation.

Check Point Software clarified to The Hacker News that the vulnerable driver is outdated and no longer actively used, emphasizing the importance of keeping software updated.

"The driver identified by Venak Security (vsdatant.sys, version 14.1.32.0) is obsolete and has been replaced in newer versions of our products," the company stated. "Users who have updated to the latest versions of ZoneAlarm or Harmony Endpoint are not affected, as these versions contain improved drivers that resolve this issue."

Check Point further assured that thorough reviews confirm that versions released over the past eight years are not vulnerable to this exploit. To maintain security, the company advises users to ensure they are running the latest versions of ZoneAlarm or Harmony Endpoint, which include enhanced protections against BYOVD-style attacks.

Meanwhile, researchers have linked the RansomHub ransomware operation—also known as Greenbottle and Cyclops—to the use of a previously undocumented multi-function backdoor called Betruger, deployed by at least one of its affiliates.

Betruger is equipped with capabilities commonly seen in malware used as a precursor to ransomware attacks. These include screenshot capturing, keylogging, network scanning, privilege escalation, credential theft, and data exfiltration to a remote server.

According to Symantec, a Broadcom-owned cybersecurity firm, Betruger appears to be designed to reduce the need for additional tools during a ransomware attack. This marks a shift from the traditional approach where ransomware groups deploy separate custom tools for data exfiltration.

"The use of proprietary malware beyond encryption payloads is somewhat uncommon in ransomware attacks," Symantec noted. "Most threat actors prefer using legitimate system tools, publicly available malware like Mimikatz and Cobalt Strike, or a combination of both."