March 24, 2025 By Pierluigi Paganini
Medusa ransomware uses a malicious Windows driver ABYSSWORKER to disable security tools, making detection and mitigation more difficult.
Elastic Security Labs tracked a financially driven MEDUSA ransomware campaign using a HEARTCRYPT-packed loader and a revoked certificate-signed driver, ABYSSWORKER, to disable EDR tools.
The attackers used a 64-bit Windows PE driver named smuol.sys, disguised as a CrowdStrike Falcon driver, which is VMProtect-protected and signed with a revoked Chinese certificate. Elastic researchers found dozens of samples from August 2024 to February 2025, likely signed with stolen certificates.
“All samples are signed using likely stolen, revoked certificates from Chinese companies. These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver.” reads the report published by Elastic.
ABYSSWORKER employs functions with constant return values, using opaque predicates and derivation functions to obstruct static analysis. The experts pointed out that only three such functions exist and are not used in predicates, the obfuscation is ineffective and easily identifiable.