A financially motivated campaign was observed deploying Medusa ransomware by using a malicious Windows driver with an expired certificate that installs the malware on a victim's machine to silence security controls set by endpoint, detection and response (EDR) systems.
Elastic Security Labs researchers posted last week that the Windows driver was from a Chinese vendor the researchers named "AbyssWorker," which was first reported by ConnectWise in a different campaign on Jan. 31.
“The attackers deploy a malicious driver that evades security controls by masquerading as a legitimate component and bypassing certificate checks through system date manipulation,” explained Jason Soroko, senior fellow at Sectigo. “They then use a controller binary to command the driver to disable security tools and execute harmful operations on the infected system.”
Soroko said an expired certificate normally causes Windows to reject the driver. However, the attackers bypass this by disabling the Windows Time Service and setting the system date to 2012. This manipulation tricks the system into accepting the expired certificate as valid, allowing the driver to run, explained Soroko.
“A separate controller binary then communicates with the driver, sending commands to execute its malicious functions,” said Soroko. “These functions include disabling security tools and manipulating system processes, ensuring the malware achieves its goals.”
Eric Schwake, director of cybersecurity strategy at Salt Security, said the use of the AbyssWorker driver by Medusa ransomware to disable security tools revealed a disturbingly advanced attack method. Notably, Schwake said the driver's signature is from a revoked certificate that’s still accepted, and it's further protected by VMProtect, showcasing the extreme measures attackers will take to avoid detection.
Additionally, Schwake explained that manipulating system time to bypass certificate expiration checks reflects an in-depth knowledge of Windows' internal systems. This tactic, paired with the driver's capability to control processes, files, and even load APIs, effectively undermines security tools, making systems susceptible to ransomware attacks.
“Security teams must acknowledge that attackers increasingly use kernel-level access to shut down defenses,” said Schwake. “This calls for a defense-in-depth strategy that transcends conventional endpoint protection. A strong and well-coordinated API posture governance process is essential, as attackers might try to manipulate or disable security-related APIs to fulfill their goals.”
