WHAT ARE YOU LOOKING FOR?

Popular Tags

Raleigh, NC

32°F
Scattered Clouds Humidity: 79%
Wind: 2.06 M/S

Medusa Ransomware Deploys Malicious Driver to Shut Down Security Tools

Security Hits: 150
Medusa Ransomware Deploys Malicious Driver to Shut Down Security Tools

Medusa Ransomware Uses Malicious Driver to Disable Security Tools 

The Medusa ransomware has been found deploying a malicious driver from a Chinese vendor to disable security tools on compromised systems, according to cybersecurity firm Elastic Security Labs. 

A Fake CrowdStrike Driver with Stolen Certificates identified as smuol.sys, the driver impersonates a legitimate CrowdStrike Falcon driver, is signed with a revoked certificate from a Chinese company, and is protected using VMProtect

Elastic, which has dubbed the driver AbyssWorker, has analyzed dozens of samples dating from August 2024 to February 2025. All samples were signed with likely stolen certificates. The driver includes various handlers that rely on kernel APIs to execute malicious activities, and Elastic has even created an implementation example demonstrating how these APIs can be loaded. 

“These certificates are widely known and have been shared across multiple malware samples and campaigns, but they are not exclusive to this driver,” Elastic noted. 

Elastic’s analysis shows that this driver is not uniquely linked to Medusa ransomware. Previously, it was observed under the name nbwdv.sys, being used in social engineering attacks that resulted in backdoor infections. 

To ensure the driver would execute successfully, attackers used a .bat file to disable the Windows Time Service and set the system date back to 2012, bypassing modern security measures that might reject an expired certificate. A controller binary was also used to communicate with the driver. 

Elastic’s investigation into AbyssWorker revealed that the driver sets up a self-protection feature upon initialization. It searches for and removes any handles associated with its client process in other processes, ensuring it remains undetected. 

Once active, the driver can execute a wide range of operations, including: 

  • Process manipulation 
  • File manipulation 
  • Process tampering 
  • API loading 
  • Hook removal 
  • Driver termination 
  • System reboot 

These capabilities allow the malware to disable security tools permanently, making it a serious threat to infected systems. 

Found this article interesting? Follow us on X(Twitter)  and Instagram to read more exclusive content we post. 

Image
Back To Top

With Cybersecurity Insights, current news and event trends will be captured on cybersecurity, recent systems / cyber-attacks, artificial intelligence (AI), technology innovation happening around the world; to keep our viewers fast abreast with the current happening with technology, system security, and how its effect our lives and ecosystem. 

Please fill the required field.