The Rising Threat of EDR Bypass: Cybercriminals Using Custom Drivers to Evade Detection

Cybercrime is evolving at an unprecedented pace. Emerging threats like LLMjacking and API vulnerabilities are challenging existing cybersecurity defenses, demanding a reassessment of security stacks. As attackers grow more sophisticated and elusive, cybersecurity teams face mounting pressure to adapt and stay ahead. One of the most alarming trends in recent times is the increasing use of custom-built or exploited legitimate drivers to disable endpoint detection and response (EDR) systems. These malicious drivers are specifically crafted or modified to disable EDR software, allowing cybercriminals to evade detection, avoid prevention mechanisms, and carry out their operations undetected. This article delves into the phenomenon of cybercriminals leveraging drivers to silence EDR systems and explores a recent campaign that showcases this alarming trend, offering insights into how cybersecurity teams can defend against such attacks.

The Rise of Driver-based EDR Evasion

Driver-based evasion has gained traction as cybercriminals look for new ways to bypass security defenses. Drivers, which operate with high privileges in the operating system kernel, are particularly appealing targets for malicious actors because of their ability to interact with system processes at a deep level. This privileged access enables them to manipulate security software, disable protective mechanisms, and perform other malicious activities without triggering alarms.

The increasing sophistication of cybercriminals, coupled with their ability to exploit or create custom drivers, is forcing EDR solutions and traditional endpoint security mechanisms to evolve. Attackers are leveraging these techniques to render EDR tools ineffective, increasing the chances of a successful attack while avoiding detection and mitigation strategies.

Cyber Technology Insights: CyberTech Insights Exclusive: Experts Discuss Impact of Google-Wiz Deal on Cloud Security

Case Study: ABYSSWORKER and the MEDUSA Ransomware Campaign

One of the most striking examples of this tactic is found in a recent campaign monitored by Elastic Security Labs. This financially motivated attack involved the deployment of MEDUSA ransomware, which was delivered using a HEARTCRYPT-packed loader. Alongside this loader, the attackers deployed a revoked certificate-signed driver from a Chinese vendor, dubbed ABYSSWORKER. This driver, once installed on the victim’s system, played a crucial role in disabling various EDR systems, rendering them ineffective against the malicious payload.

The ABYSSWORKER driver takes advantage of a variety of advanced tactics to evade detection and bypass security controls. Elastic’s analysis revealed that this driver could manipulate the system’s internal processes, allowing it to silently disable security tools and perform a wide range of harmful actions, including process manipulation, file manipulation, and system reboot.

Cyber Technology Insights: CyberTech Insights Exclusive: Experts Discuss Impact of Google-Wiz Deal on Cloud Security

Key Features of the ABYSSWORKER Driver

The ABYSSWORKER driver showcases the growing sophistication of driver-based attacks. Key features of the driver include:

Protection During Initialization: The driver initially strips any handles to its client process from other active processes. This prevents detection by other system processes and makes the driver harder to identify.

Broad Malicious Operations: The driver can carry out a wide range of malicious tasks:

Process Manipulation: It can terminate or manipulate system processes, ensuring that malicious activities go unnoticed.
File Manipulation: It allows the attacker to alter or delete files, potentially eliminating evidence of the attack.
API Loading and Hook Removal: The driver can load malicious APIs into memory or remove hooks placed by security software, rendering it incapable of detecting malicious behavior.
Driver Termination and System Reboot: By terminating security-related drivers and rebooting the system, the ABYSSWORKER driver ensures the persistence of the attack.
These capabilities are what make the ABYSSWORKER driver such a potent tool for bypassing endpoint defenses, including EDR systems.

Bypassing Certificate Checks: A Deeper Look

As Jason Soroko, Senior Fellow at Sectigo, highlights, the attackers behind ABYSSWORKER employed a clever strategy to bypass the usual certificate validation checks. In a typical scenario, Windows would reject drivers signed with an expired certificate. However, the attackers managed to trick the system into accepting the expired certificate by manipulating the system date.

The attackers disabled the Windows Time Service and set the system date to 2012, a time when the certificate used to sign the driver was still valid. This manipulation allowed the system to treat the expired certificate as valid, allowing the malicious driver to be loaded and executed. A separate controller binary then communicated with the driver, sending commands to disable security tools and execute other harmful operations on the infected system.

This manipulation reflects the attackers’ deep understanding of Windows’ internal systems and their ability to exploit even the smallest misconfigurations in the system. The use of expired certificates and system time manipulation underscores the growing trend of cybercriminals creatively abusing system vulnerabilities to bypass security mechanisms.

Insights for Cybersecurity Teams

The use of driver-based attacks, such as the ABYSSWORKER driver, represents a serious challenge to traditional endpoint security tools. Eric Schwake, Director of Cybersecurity Strategy at Salt Security, points out that the ability of attackers to manipulate system time and bypass certificate expiration checks showcases a highly advanced attack method. Schwake emphasizes that security teams must acknowledge the increasing use of kernel-level access to disable defenses, calling for a defense-in-depth strategy that goes beyond conventional endpoint protection.

Key Recommendations for Defending Against Driver-based Attacks:

Strict Driver Signing Policies: Organizations should enforce stringent driver signing policies to ensure that only trusted and properly signed drivers are allowed to run on their systems. Microsoft’s Driver Blocklist functionality should be leveraged to prevent the execution of unauthorized or expired drivers.

System Configuration Monitoring: As noted by Boris Cipot, Senior Security Engineer at Black Duck, system configuration changes—such as those involving system time—are often exploited by attackers to bypass security controls. Organizations must monitor and log configuration changes, particularly changes to system time, and implement alerts to detect such anomalies.

Kernel-Level Security Monitoring: Given the growing use of kernel-level attacks, it’s crucial for organizations to implement robust kernel-level monitoring. This includes monitoring system calls, driver behavior, and interactions with critical system APIs. Tools designed to detect abnormal kernel activity can help identify and block malicious driver actions before they cause significant damage.

Implement Secure Boot and Code Integrity Policies: Using Secure Boot and enforcing code integrity policies can prevent unauthorized drivers from being loaded onto the system. These security features ensure that only signed and trusted drivers are allowed to run, making it much harder for attackers to exploit expired certificates or load malicious drivers.

Proactive API Monitoring: Eric Schwake also emphasizes the need for organizations to have a comprehensive API posture governance process in place. Attackers may attempt to manipulate or disable security-related APIs to achieve their goals. By monitoring API calls and ensuring their integrity, organizations can prevent attackers from bypassing detection systems.

Endpoint Protection and Threat Intelligence: It is essential to pair endpoint protection tools with threat intelligence feeds to keep up-to-date with the latest attack vectors. Regular updates and patches for operating systems and endpoint protection tools can help defend against emerging threats.

Awareness and Policy Enforcement: Finally, organizations must enforce security policies that prioritize long-term defense over short-term convenience. Cipot warns against disabling security features or allowing outdated software to run for compatibility reasons. It’s essential to balance the need for system functionality with the security of the overall environment.

Cyber Technology Insights: Top AI Security Tools for Financial Services Industry

Conclusion

The increasing use of custom or exploited drivers to bypass EDR systems marks a worrying shift in the tactics employed by cybercriminals. The ABYSSWORKER driver and its role in the MEDUSA ransomware campaign are a clear indication that attackers are leveraging sophisticated methods to evade detection and neutralize endpoint defenses. To protect against such threats, cybersecurity teams must implement a multi-layered defense strategy, focusing on kernel-level monitoring, strict driver policies, and proactive system configuration monitoring. By staying vigilant and adapting to the evolving threat landscape, organizations can better defend against these increasingly sophisticated attacks and mitigate the risks associated with driver-based evasion tactics

To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com

Tags: API vulnerabilities, cybercriminals, endpoint protection, endpoint security, security defenses, threat intelligence

CyberTech Staff Writer

CyberTech Staff Writer is a seasoned cybersecurity expert and analyst with a deep passion for safeguarding digital landscapes. With 20+ years of experience in the IT security and networking industry, they have honed their skills in identifying, assessing, and reporting cyber threats and best practices to salvage enterprises from disasters. Their expertise spans a wide range of areas, including cloud security, application security, ransomware assessment, threat intelligence, incident response, ZTNA and more. As a thought leader in the cybersecurity community, CyberTech Staff Writer is dedicated to sharing knowledge and insights to help organizations build robust defenses against evolving cyber threats.