On March 21, 2025, Elastic Security Labs discovered that threat actors associated with the Medusa ransomware-as-a-service (RaaS) operation were using a malicious driver called ABYSSWORKER in a bring your own vulnerable driver (BYOVD) attack. This attack was specifically designed to disable anti-malware tools. The encryptor was delivered through a loader packed using a packer-as-a-service (PaaS) known as HeartCrypt.
The ABYSSWORKER driver, named “smuol.sys,” was found to mimic a legitimate CrowdStrike Falcon driver. It was signed using likely stolen, revoked certificates from Chinese companies. This allowed the malware to bypass security systems without raising any alarms. The driver was previously documented by ConnectWise in January 2025 as “nbwdv.sys.”
Once ABYSSWORKER is initialized, it adds the process ID to a list of global protected processes and listens for incoming device I/O control requests. These requests are then dispatched to appropriate handlers based on I/O control code, enabling the tool to terminate or disable endpoint detection and response (EDR) systems.
Of particular interest is the ability of ABYSSWORKER to blind security products by removing registered notification callbacks. This technique has also been observed in other EDR-killing tools like EDRSandBlast and RealBlindingEDR. The findings align with a report from Venak Security about threat actors exploiting a vulnerable kernel driver associated with Check Point’s ZoneAlarm antivirus software in a BYOVD attack to gain elevated privileges.
The use of custom malware like ABYSSWORKER and Betruger by ransomware groups points to a shift in tactics. These tools allow threat actors to bypass security measures and gain full control of infected systems, facilitating data exfiltration and further exploitation. The cybersecurity landscape continues to evolve, emphasizing the importance of robust security measures to protect against increasingly sophisticated threats.
Source link