The following text comes from a press release and in no way reflects the opinion of the editorial staff.
Embargo’s new toolkit consists of a loader and an endpoint detection and response (EDR) tool, named ESET MDeployer and MS4Killer respectively. MS4Killer and only targets selected security solutions. The malware exploits safe mode and a vulnerable driver to disable security products on the victim’s machine. Both tools are written in Rust, the group’s preferred language for developing ransomware.
Based on their modus operandi, Embargo appears to be a resourceful group. It sets up its own infrastructure to communicate with victims. Additionally, the group pressures victims to pay using double extortion: operators exfiltrate sensitive data and threaten victims to post it on a leak site and encrypt it. In an interview with an alleged member of the group, an Embargo representative mentioned a basic payment system for affiliates, which suggests that the group provides RaaS (ransomware as a service). “The sophistication of the group, the existence of a typical leak site and the statements of the group, lead us to assume that Embargo is indeed operating as a RaaS provider,” says Jan Holman, the ESET researcher who, with his colleague Tomáš Zvara, analyzed the threat.
Differences between deployed versions, bugs, and remaining artifacts suggest that these tools are in full development. Embargo is still building its brand and establishing itself as a leading ransomware operator.
Developing custom loaders and EDR removal tools is a common tactic used by many ransomware groups. Besides the fact that MDeployer and MS4Killer have always been observed deployed together, there are other connections between them. The close connections between the tools suggest that both are developed by the same author and the active development of the toolkit suggests that the threat actor is proficient in Rust.
With MDeployer, the Embargo threat actor abuses Safe Mode to disable security solutions. MS4Killer is a typical defense evasion tool that terminates the actions of security products using the technique known as Bring Your Own Vulnerable Driver (BYOVD). In this technique, the actor abuses vulnerable kernel drivers to gain kernel-level code execution. Ransomware affiliates often integrate BYOVD tools into their chain of compromise to undermine security solutions protecting infrastructure against attacks. After disabling the security software, affiliates can run the ransomware payload without worrying whether their payload is detected or not.
The primary goal of the Embargo toolkit is to secure the successful deployment of the ransomware payload by disabling the security solution in the victim’s infrastructure. Embargo puts a lot of effort into replicating the same functionality at different stages of the attack. “During an active intrusion, we observed the ability of attackers to adapt their tools to a particular security solution,” adds Tomáš Zvara, researcher at ESET.
For a more detailed and technical analysis of Embargo tools, see ESET Research’s latest blog “Embargo ransomware: Rock’n’Rust” on WeLiveSecurity.com. Follow ESET Research on ESET Research on Twitter (today known as X) for the latest news.
Related News :