In a recent development, cybercriminals have been employing a sophisticated tactic to evade endpoint detection and response (EDR) systems by utilizing a malicious driver known as ABYSSWORKER.
This driver is part of a financially motivated campaign that deploys MEDUSA ransomware, leveraging a HEARTCRYPT-packed loader to compromise systems.
The ABYSSWORKER driver, signed with likely stolen and revoked certificates from Chinese companies, is designed to disable EDR tools by targeting and silencing various EDR vendors.
Technical Analysis of ABYSSWORKER
The ABYSSWORKER driver, masquerading as a legitimate CrowdStrike Falcon driver, operates by creating a device and symbolic link on the victim machine.
It then registers callbacks to protect its client processes, effectively denying access to any attempts to open handles to these protected processes.
According to the Report, the driver uses a combination of opaque predicates and derivation functions for obfuscation, though this method is deemed inefficient as it can be easily identified and bypassed.
Upon initialization, ABYSSWORKER loads pointers to kernel modules and sets up its protection features.
ABYSSWORKER driver PE header description
It also includes a range of DeviceIoControl handlers that enable operations such as file manipulation, process termination, and driver disabling.
Notably, the driver requires a hardcoded password to enable its full functionality, which is sent via an IO control request.
Once enabled, it can load kernel APIs necessary for its operations, either in full or partial mode, depending on user input.
Evasion Techniques and Impact
ABYSSWORKER employs several evasion techniques to blind EDR products.
It can remove notification callbacks registered by EDRs, detach mini filter devices associated with the FltMgr.sys driver, and even replace major functions of targeted drivers with dummy functions.
Additionally, it can terminate system threads and processes by brute-forcing their IDs and using asynchronous procedure calls.
These capabilities allow the malware to effectively disable EDR systems, making it challenging for security tools to detect and respond to the MEDUSA ransomware attack.
The use of such sophisticated drivers highlights the evolving nature of cyber threats and the importance of robust security measures to counter these advanced evasion techniques.
As malware continues to adapt and evade detection, it is crucial for security teams to stay informed about these tactics and develop effective countermeasures to protect against them.
%20systems.){kind=link}