Shedding light on the ABYSSWORKER driver

March 20, 2025, 4:13 p.m.

Description

The ABYSSWORKER driver is a malicious tool used in conjunction with MEDUSA ransomware to disable anti-malware systems. It employs a HEARTCRYPT-packed loader and a revoked certificate-signed driver to target and silence EDR vendors. The driver imitates a legitimate CrowdStrike Falcon driver and uses obfuscation techniques to hinder analysis. It provides various functionalities including file manipulation, process and driver termination, and EDR system disabling. The driver's capabilities include removing callbacks, replacing driver functions, killing system threads, and detaching mini-filter devices. It uses unconventional methods like creating IRPs from scratch to perform file operations. The malware's sophisticated approach demonstrates the evolving tactics of cybercriminals in evading detection and disabling security measures.

External References

https://www.elastic.co/security-labs/abyssworker
https://otx.alienvault.com/pulse/67dc31a079ea6b0ac92136ae
Tags
obfuscation
ransomware
medusa
edr
driver
heartcrypt
process termination
2025-03-20
abyssworker
file manipulation

Date

  • Created: March 20, 2025, 3:17 p.m.
  • Published: March 20, 2025, 3:17 p.m.
  • Modified: March 20, 2025, 4:13 p.m.

Indicators

  • 6a2a0f9c56ee9bf7b62e1d4e1929d13046cd78a93d8c607fe4728cc5b1e8d050
  • b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505
Download all indicators here!

Attack Patterns

  • HEARTCRYPT
  • ABYSSWORKER
  • MEDUSA
  • T1562.004
  • T1543.003
  • T1553.002
  • T1547.001
  • T1222
  • T1014
  • T1562.001
  • T1070
  • T1574
  • T1564
  • T1055
  • T1562