Medusa Ransomware Leverages Signed Malicious Driver to Bypass EPP/EDR

Researchers have observed that the Medusa ransomware-as-a-service (RaaS) operation employs a malicious driver, dubbed ABYSSWORKER, to disable anti-malware tools through a bring your own vulnerable driver (BYOVD) attack.  

In a specific incident, Medusa ransomware was delivered via a loader packed using a packer-as-a-service (PaaS) called HeartCrypt. This loader deployed alongside a revoked certificate-signed driver from a Chinese vendor, referred to as ABYSSWORKER, which it installs on the victim's machine to target and silence various endpoint detection and response (EDR) vendors. The Hacker News reports.

The driver in question, "smuol.sys," mimics a legitimate CrowdStrike Falcon driver ("CSAgent.sys"). Numerous ABYSSWORKER artifacts have been detected on the VirusTotal platform, dating from August 8, 2024, to February 25, 2025. All identified samples are signed using likely stolen, revoked certificates from Chinese companies.  

Notably, ABYSSWORKER possesses the capability to blind security products by searching for and removing all registered notification callbacks, a technique also employed by other EDR-disabling tools like EDRSandBlast and RealBlindingEDR.  

These findings follow a report from Venak Security detailing how threat actors are exploiting a legitimate-but-vulnerable kernel driver associated with Check Point's ZoneAlarm antivirus software in BYOVD attacks. This exploitation allows attackers to gain elevated privileges and disable Windows security features like Memory Integrity.  

The privileged access was then abused by the threat actors to establish a Remote Desktop Protocol (RDP) connection to the infected systems, facilitating persistent access.

Check Point has since addressed this vulnerability, noting that the susceptible driver is outdated and no longer in active use. Users running the latest versions of ZoneAlarm or Harmony Endpoint are not affected, as these include updated drivers that mitigate this issue.  

Takeaway: Recently, we've seen a significant uptick in ransomware operations employing BYOVD tactics. Attackers are introducing legitimate, signed drivers with known vulnerabilities into target systems to gain unauthorized kernel-level access.  

Vulnerable drivers signed with valid Microsoft certificates and operating with kernel-level privileges are notoriously challenging to detect.  

In computer systems, drivers are specialized software components that enable communication between the operating system and hardware devices. Their high-level privileges make them attractive targets for attackers, especially when vulnerabilities are present.  

The BYOVD attack vector exploits the inherent trust operating systems place in digitally signed drivers. When a driver is signed, it's trusted by the system to operate with elevated privileges. However, if such a driver contains vulnerabilities, attackers can exploit this trust to perform malicious actions without detection.  

Once an attacker gains kernel-level access, they can perform various malicious activities, including launching malware disguised as legitimate DLLs through Windows Defender binaries. By exploiting these vulnerabilities, attackers can bypass traditional security measures and execute malicious activities with elevated privileges.  

The effectiveness of BYOVD attacks lies in their ability to exploit the trust model inherent in operating systems. Since the drivers used are legitimate and signed, they are often whitelisted by security solutions, allowing malicious activities to proceed undetected.  

This trust exploitation poses a significant challenge for defenders, as traditional security measures may not flag these drivers as malicious.  

Threat actors are getting crafty with these BYOVD techniques, slipping in legitimate, signed drivers that have known security holes to burrow deep into systems. Since these drivers come with a stamp of approval, they bypass many security defenses without raising an eyebrow.  

Once inside, these bad actors can disable security tools—even advanced Endpoint Detection and Response (EDR) systems—leaving the door wide open for ransomware to wreak havoc.  

The alarming part is that most security teams are unaware of this backdoor maneuver. They're investing in the latest cybersecurity tools, believing they're secure, while attackers exploit this overlooked weakness. So, what's the right move here?  

Keep those drivers updated—don't let outdated software be your Achilles' heel. Implement strict controls on installations, limit administrative privileges to trusted personnel, and ensure you have solutions in place to detect these kinds of shady behaviors.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.