FOCUS MODE
EXTRACT IOC
Threat Research

Shedding Light on the ABYSSWORKER Driver – Elastic Security Labs

Securonix
Shedding Light on the ABYSSWORKER Driver – Elastic Security Labs
The article discusses a financially motivated cybercriminal campaign utilizing a malicious driver known as ABYSSWORKER, which disables endpoint detection and response systems to deploy MEDUSA ransomware. This driver exploits revoked certificates and incorporates various evasion techniques against EDR systems while showcasing its capabilities to manipulate processes and files.
Affected: MEDUSA ransomware, EDR systems, Windows PE driver

Keypoints :

  • Cybercriminals deploy custom-built drivers to evade EDR systems.
  • ABYSSWORKER driver is used in a campaign to deliver MEDUSA ransomware.
  • This driver utilizes legitimate revoked certificates to bypass security measures.
  • Driver manipulations involve file creation, deletion, and process handling to compromise system security.
  • ABYSSWORKER employs obfuscation techniques to hinder reverse engineering efforts.
  • Comprehensive control over system processes and files is achieved through specific I/O controls.
  • YARA rules have been developed to identify samples related to ABYSSWORKER.
  • The importance of documenting malicious techniques is emphasized through the MITRE ATT&CK framework.

MITRE Techniques :

  • T1070.001: Indicator Removal on Host – ABYSSWORKER removes existing handles to the protected process to prevent detection.
  • T1070.004: File and Directory Discovery – The driver manipulates file attributes and performs file copying and deleting operations.
  • T1215: Kernel Modules – The driver is a custom-built kernel driver aimed to execute malicious commands.
  • T1490: Inhibit Response: ABYSSWORKER disables EDR by removing kernel callbacks using specific I/O control requests.
  • T1047: Windows Management Instrumentation – Utilizes kernel API calls to control system processes and manipulate driver functions.

Indicator of Compromise :

  • [SHA256] 6a2a0f9c56ee9bf7b62e1d4e1929d13046cd78a93d8c607fe4728cc5b1e8d050
  • [SHA256] b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505
  • [IoC Type] revoked certificate fingerprint: 51 68 1b 3c 9e 66 5d d0 b2 9e 25 71 46 d5 39 dc
  • [IoC Type] revoked certificate fingerprint: 72 88 1f 10 cd 24 8a 33 e6 12 43 a9 e1 50 ec 1d
  • [IoC Type] revoked certificate fingerprint: 04 3b 13 df 60 e7 64 99 66 30 21 c1

Full Story: https://www.elastic.co/security-labs/abyssworker

Tags: SOCIAL ENGINEERING, WINDOWS, CLOUD, DISCOVERY, EDR, PASSWORD, HUNTING