The notorious Medusa ransomware is using a malicious driver named ‘AbyssWorker’ to disable security tools on infected systems, a new report from cybersecurity firm Elastic Security Labs says.
The driver, tracked as smuol.sys, is designed to masquerade as a legitimate CrowdStrike Falcon driver, and is signed using a revoked certificate from a Chinese company. It is also shielded by VMProtect, a security tool used to obfuscate code and make analysis more challenging for researchers.
Elastic Security Labs reports that the driver has been found in dozens of malware samples dated between August 2024 and February 2025. All samples have been signed, likely using stolen certificates.
Initially spotted in the Medusa ransomware operation, malicious driver is not exclusive to the gang. Smuol.sys has been previously observed under the name ‘nbwdv.sys’, used in social engineering campaigns that ultimately led to backdoor infections on targeted systems.
The driver’s primary purpose is to disable the security tools on infected machines. Attackers exploited a flaw by signing the driver with an expired certificate. They then deployed a batch (.bat) file to disable the Windows Time Service, subsequently changing the system date to 2012, thus ensuring that the expired certificate doesn't interfere with the malicious driver's execution.
Once executed, AbyssWorker initiates a range of malicious activities on the compromised machine. The driver sets up a protection mechanism during initialization, which searches for and strips any handles to its client process from other processes, ensuring that it cannot be easily detected or interfered with.
The driver's capabilities are extensive, allowing it to perform a wide variety of malicious operations, including process manipulation, file tampering, API loading, hook removal, and even system reboots. It has the ability to terminate and permanently disable security tools.
