The threats of the actors standing for Jellyfish Operation Ransomware-How Service (RAAS) was observed with the help of a malicious driver called Abrasion Bring your own vulnerable driver (Byovd) An attack intended for disconnecting anti-sanatorium tools.
Elastic security laboratories said she observed an attack on Medusa’s ransom, which delivered a slate with a loader packaged using a Packer-A-A-Service (PAAS) called Heartcrypt.
“This loader was deployed together with a recalled driver signed by a Chinese provider we called Abyssworker, which he sets by the victim’s car and then uses the purpose and silence of various EDR suppliers”, company, company, company, company, company, company, company, company, company, company, company – Note In the report.
The driver in question, “smuol.sys”, imitates the legitimate driver Falcon Crowdstrike (“csagent.sys”). Dozens of artifacts were discovered on the viral platform from August 8, 2024 to February 25, 2025. All identified samples are signed using probable stolen, canceled certificates of Chinese companies.
What is signed by malicious software gives it a veneer of trust and allows it to bypass the security system without attracting attention. It is worth noting that the detection and response of the final points (EDR) is a driver that kills Previously documented According to Connectwise in January 2025 called “nbwdv.sys”.
After initialization and launch, Abyssworker is designed to add the process ID to the Global Protected Process ID and listening to the input/removal of the device, which are then sent to the appropriate processors based on the input/output code.
“These handlers cover a wide range of operations: from file manipulation to process and stop driver, providing a comprehensive tool set that can be used to stop or final disconnect EDR systems,” the Elastik said.
List of some input/output check codes below –
- 0x222080-Turn the driver by sending the password “7n6bcaoecbitsur5-h4rp2nkqxybfkb0f-wgbjgh20pwuun1-zxfxdioyps6htp0x”
- 0x2220c0 – Download the required API kernels
- 0x222184 – Copy the file
- 0x222180 – Delete file
- 0x222408 – Kill system topics by name module
- 0x222400 – Remove Flat Calls Name Module
- 0x2220c0 – API boot
- 0x22144 – Stop the process of their process ID
- 0x222140 – Stop the subject on their theme identifier
- 0x222084 – Disable malicious software
- 0x222664 – Restart the machine
Of particular interest-0x222400, which can be used for dazzling security products, looking and deleting all registered notification calls, and an approach that is also taken by other tools to reduce EDR Edrsandblast and Realblindingedr.
The results follow in the Venak Security report on how the threatening subjects use the legitimate but handed kernel driver associated with the Zonelarm Check Point Software Software as part of the BYOVD attack intended for increased privilege and disconnect Windows.
The privileged access was then abused by the threat subjects to create a Desktop Remote (RDP) system connection with infected systems, which facilitates sustainable access. Since then, the gap has been connected with a point point.
“Since vsdatant.Sys works with high -level core privileges, attackers were able to use their vulnerabilities, surpassing safety and antivirus software, as well as receiving full control over infected machines, company company company – Note.
“After these defense remedies were bypass, the attackers had full access to the main system, the attackers were able to access secret information such as users’ passwords and other saved credentials. This data was highlighted by opening the door for further operation.”
Development comes as RansomHub .
The implant comes with features that are usually associated with malicious programs, deployed as a predecessor, such as screenshot, keys, network scan, escalation of privileges, credentials and data allocation to the removed server.
“Functioning shows indicates that it can be designed to minimize the number of new tools that have fallen into the target network while the ransom attack is preparing,” Symantec owned by Broadcom – NoteDescribing this as something retreat from other custom tools developed by ransom groups for data exploration.
“The use of custom malware, besides encryption of useful loads, is relatively unusual in ransom attacks. Most attackers expect legal tools, live on land and publicly available malware, such as Mimikatz and Cobalt Strike.”
