Shedding light on the ABYSSWORKER driver
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
The ABYSSWORKER driver is a malicious tool used in conjunction with MEDUSA ransomware to disable anti-malware systems. It employs a HEARTCRYPT-packed loader and a revoked certificate-signed driver to target and silence EDR vendors. The driver imitates a legitimate CrowdStrike Falcon driver and uses obfuscation techniques to hinder analysis. It provides various functionalities including file manipulation, process and driver termination, and EDR system disabling. The driver's capabilities include removing callbacks, replacing driver functions, killing system threads, and detaching mini-filter devices. It uses unconventional methods like creating IRPs from scratch to perform file operations. The malware's sophisticated approach demonstrates the evolving tactics of cybercriminals in evading detection and disabling security measures.
OPENCTI LABELS :
ransomware,obfuscation,medusa,edr,driver,heartcrypt,process termination,abyssworker,file manipulation
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Shedding light on the ABYSSWORKER driver