The Medusa ransomware deploys a malicious driver from a Chinese vendor and uses it to disable the security tools running on the infected systems, cybersecurity firm Elastic Security Labs reports.
Named smuol.sys, the driver masquerades as a legitimate CrowdStrike Falcon driver, is signed with a revoked certificate from a Chinese company, and is protected using VMProtect.
Elastic, which named the driver AbyssWorker, has identified dozens of samples dated August 2024 to February 2025, all signed, likely using stolen certificates.
“These certificates are widely known and shared across different malware samples and campaigns but are not specific to this driver,” Elastic notes.
The driver itself, the cybersecurity firm notes, is not exclusive to Medusa ransomware, and was previously observed being used under the name of nbwdv.sys in social engineering attacks leading to backdoor infections.
The driver was signed with an expired certificate and, to ensure that the driver would run successfully, the attackers used a .bat file to disable the Windows Time Service and set the system date to 2012. A controller binary was used to communicate with the driver.
Elastic’s analysis of AbyssWorker revealed that the driver sets up a protection feature during initialization, by searching for and stripping any handles to its client process in other processes.
Once up and running, the driver can perform requests for a broad range of operations, including process manipulation, file manipulation, process tampering, API loading, hook removal, driver termination, and system reboot, which enables it to terminate and permanently disable security tools.
AbyssWorker, Elastic explains, contains various handlers that rely on kernel APIs to perform malicious operations. The cybersecurity firm has created an implementation example that can load the driver’s APIs.
Related: Medusa Ransomware Made 300 Critical Infrastructure Victims
Related: Medusa Ransomware Attacks Increase
Related: Vulnerable Paragon Driver Exploited in Ransomware Attacks
Related: Dozens of Kernel Drivers Allow Attackers to Alter Firmware, Escalate Privileges
