Elastic Security Labs analysts noted that this driver is specifically designed to target and silence different EDR vendors, effectively removing a critical layer of defense against ransomware attacks. One particularly troubling aspect of the ABYSSWORKER driver is that it’s signed using revoked certificates from Chinese vendors, which helps it bypass security controls that verify driver signatures. The ABYSSWORKER driver uses a sophisticated client protection mechanism that adds the client process ID to a protection list and strips access rights from any existing handles to the client process. MEDUSA ransomware operation has been observed leveraging a sophisticated malicious driver called ABYSSWORKER to disable endpoint detection and response (EDR) systems. The malware masquerades as a legitimate CrowdStrike Falcon driver, using company names, file descriptions, and other metadata to appear authentic. Here the Client Protection Mechanism demonstrates how the driver prevents other processes from accessing or terminating the malware client. Elastic Security Labs has released YARA rules for detecting this threat, providing organizations with a means to identify this dangerous component of the MEDUSA ransomware toolkit. Perhaps most concerning, the driver can eliminate EDR protections by removing notification callbacks used by security products and replacing driver major functions with dummy implementations. The ABYSSWORKER driver is deployed alongside a HEARTCRYPT-packed loader as part of the MEDUSA ransomware attack chain. According to the analysis, the driver’s PE header shows properties like “CrowdStrike, Inc.” as the company name and “CrowdStrike Falcon Sensor Driver” as the file description, creating a convincing disguise. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This dangerous capability allows the ransomware to operate undetected, significantly increasing the threat to organizations’ security infrastructure. To communicate with its client, the driver implements various DeviceIoControl handlers with specific IO control codes. It can also kill system threads belonging to security software and detach MiniFilter devices that might be monitoring file system activity. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. When deployed, ABYSSWORKER establishes a device object and symbolic link for communication with its client process. These certificates include fingerprints from companies such as “Foshan Gaoming Kedeyu Insulation Materials Co., Ltd” and “Fuzhou Dingxin Trade Co., Ltd,” among others.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 21 Mar 2025 10:00:18 +0000