Elastic Security Labs has observed a financially motivated campaign delivering Medusa ransomware via a HEARTCRYPT-packed loader.
This loader is deployed alongside a driver, signed with a revoked certificate from a Chinese vendor, which Elastic has named ABYSSWORKER. Once installed on the victim’s machine, the driver is used to disable various EDR solutions.
This EDR-disrupting driver was previously reported by ConnectWise in a separate campaign, where it utilized a different certificate and IO control codes, and some of its functionalities were analyzed at that time.
According to Elastic Security Labs, “Cybercriminals are increasingly bringing their own drivers — either exploiting a vulnerable legitimate driver or using a custom-built driver to disable endpoint detection and response (EDR) systems and evade detection or prevention capabilities.”
How it Works
ABYSSWORKER, masquerading as a legitimate CrowdStrike Falcon driver, is a 64-bit Windows PE file named smuol.sys. Notably, it is signed with likely stolen, revoked certificates from several Chinese companies.
The driver uses obfuscation techniques, such as functions that consistently return the same value, to hinder static analysis. Upon initialization, it creates a device at \\device\\czx9umpTReqbOOKF with a symbolic link \\??\\fqg0Et4KlNt4s1JT, and registers callbacks for its major functions.
When the driver device is opened, the IRP_MJ_CREATE callback adds the process ID (PID) to a protection list and removes any existing handles to the target process from other running processes. This is achieved by iterating over existing processes and their handles and stripping access rights where matches are found.
The driver registers a PsSetCreateProcessNotifyRoutineEx callback to monitor process creation, too. If a process matches a target in its list, the driver attempts to terminate it by opening a handle with PROCESS_TERMINATE rights and calling ZwTerminateProcess.
Also, it registers a PsSetLoadImageNotifyRoutine callback to monitor image loading. If a loaded image matches a target in its list, the driver attempts to unload it by locating the corresponding LDR_DATA_TABLE_ENTRY and removing it from the module list.
The driver also registers an ObRegisterCallbacks routine to protect the client process by preventing handle creation or duplication with specific access rights, such as PROCESS_TERMINATE, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, and PROCESS_SUSPEND_RESUME.
Elastic Security has created the following YARA rules related to its report.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.