Embargo Ransomware Gang Deploys Customized Defense Evasion Tools

Summary: The Embargo ransomware group has developed advanced Rust-based tools to bypass cybersecurity defenses, specifically targeting US companies. Their toolkit includes a loader (MDeployer) and an EDR killer (MS4Killer), enabling them to execute ransomware attacks effectively while evading detection.

Threat Actor: Embargo Gang | Embargo Gang
Victim: US Companies | US Companies

Key Point :

  • Embargo utilizes a double-extortion method, exfiltrating data and threatening publication alongside encryption.
  • The toolkit includes MDeployer, which facilitates ransomware execution, and MS4Killer, designed to disable security solutions.
  • MS4Killer employs a “bring your own vulnerable driver” technique to terminate security processes, enhancing the group’s evasion capabilities.
  • Both MDeployer and MS4Killer are custom-built for each victim, showcasing the group’s adaptability during attacks.
  • Embargo is believed to operate as a ransomware-as-a-service (RaaS) provider, indicating a well-resourced operation.

The Embargo ransomware group is deploying customized Rust-based tooling to overcome cybersecurity defenses, according to ESET researchers.

The new toolkit was observed during ransomware incidents targeting US companies in July 2024, and was comprised of a loader and an EDR killer, named MDeployer and MS4Killer, respectively.

MS4Killer is custom compiled for each victim’s environment, targeting only selected security solutions, making it especially dangerous.

The tools appear to have been developed together and contain some overlap in functionality.

MDeployer, MS4Killer and Embargo’s ransomware payload are all written in Rust, suggesting this is the “go-to” programming language for the group’s developers.

Embargo Gang a Well-Resourced Operator

The Embargo gang was first identified in June 2024. It appears to be well-resourced, with the ability to develop custom tools and sets up its own infrastructure to communicate with victims.

The group primarily uses a double-extortion method – exfiltrating victims’ data and threatening to publish it on a leak site in addition to encrypting it.

ESET also believes Embargo is a ransomware-as-a-service (RaaS) provider.

The group is also able to adjust quickly during attacks.

“The main purpose of the Embargo toolkit is to secure successful deployment of the ransomware payload by disabling the security solution in the victim’s infrastructure. Embargo puts a lot of effort into that, replicating the same functionality at different stages of the attack,” the researchers wrote.

“We have also observed the attackers’ ability to adjust their tools on the fly, during an active intrusion, for a particular security solution,” they added.

MDeployer Loader

MDeployer is the main malicious loader Embargo attempts to deploy on victims’ machines in the compromised network. Its purpose is to facilitate ransomware execution and file encryption.

It executes two payloads, MS4Killer and Embargo ransomware, and decrypt two encrypted files a.cache and b.cache that were dropped by an unknown previous stage.

When the ransomware finishes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system.

Another feature of MDeployer is when it is executed with admin privileges as a DLL file, it attempts to reboot the victim’s system into Safe Mode in order to disable selected security solutions. As most cybersecurity defenses are not in effect in Safe Mode, it helps threat actors avoid detection.

MS4Killer Evasion Tool

MS4Killer is a defense evasion tool that uses a technique known as bring your own vulnerable driver (BYOVD) to terminate security product processes.

MS4Killer terminates security products from the kernel by installing and abusing a vulnerable driver that is stored in a global variable. The process identifier of the process to terminate is passed to s4killer as a program argument.

Embargo has extended the tool’s functionality with features such as being able to run in an endless loop to constantly scan for running processes and hardcoding the list of process names to kill in the binary.

After disabling the security tooling, Embargo affiliates can run the ransomware payload without worrying whether their payload gets detected.

Source: https://www.infosecurity-magazine.com/news/embargo-ransomware-defense-evasion