Embargo Ransomware Gang Deploys Customized Defense Evasion Tools
The Embargo ransomware group is deploying customized Rust-based tooling to overcome cybersecurity defenses, according to ESET researchers.
The new toolkit was observed during ransomware incidents targeting US companies in July 2024, and was comprised of a loader and an EDR killer, named MDeployer and MS4Killer, respectively.
MS4Killer is custom compiled for each victim’s environment, targeting only selected security solutions, making it especially dangerous.
The tools appear to have been developed together and contain some overlap in functionality.
MDeployer, MS4Killer and Embargo’s ransomware payload are all written in Rust, suggesting this is the “go-to” programming language for the group’s developers.
Embargo Gang a Well-Resourced Operator
The Embargo gang was first identified in June 2024. It appears to be well-resourced, with the ability to develop custom tools and sets up its own infrastructure to communicate with victims.
The group primarily uses a double-extortion method – exfiltrating victims’ data and threatening to publish it on a leak site in addition to encrypting it.
ESET also believes Embargo is a ransomware-as-a-service (RaaS) provider.
The group is also able to adjust quickly during attacks.
“The main purpose of the Embargo toolkit is to secure successful deployment of the ransomware payload by disabling the security solution in the victim’s infrastructure. Embargo puts a lot of effort into that, replicating the same functionality at different stages of the attack,” the researchers wrote.
“We have also observed the attackers’ ability to adjust their tools on the fly, during an active intrusion, for a particular security solution,” they added.
MDeployer Loader
MDeployer is the main malicious loader Embargo attempts to deploy on victims’ machines in the compromised network. Its purpose is to facilitate ransomware execution and file encryption.
It executes two payloads, MS4Killer and Embargo ransomware, and decrypt two encrypted files a.cache and b.cache that were dropped by an unknown previous stage.
When the ransomware finishes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and finally reboots the system.
Another feature of MDeployer is when it is executed with admin privileges as a DLL file, it attempts to reboot the victim’s system into Safe Mode in order to disable selected security solutions. As most cybersecurity defenses are not in effect in Safe Mode, it helps threat actors avoid detection.
MS4Killer Evasion Tool
MS4Killer is a defense evasion tool that uses a technique known as bring your own vulnerable driver (BYOVD) to terminate security product processes.
MS4Killer terminates security products from the kernel by installing and abusing a vulnerable driver that is stored in a global variable. The process identifier of the process to terminate is passed to s4killer as a program argument.
Embargo has extended the tool’s functionality with features such as being able to run in an endless loop to constantly scan for running processes and hardcoding the list of process names to kill in the binary.
After disabling the security tooling, Embargo affiliates can run the ransomware payload without worrying whether their payload gets detected.