The multifaceted tactics of the Embargo ransomware group demonstrate a sophisticated understanding of system vulnerabilities, notably in how they manipulate Safe Mode to bypass security measures. Embargo, first identified in June 2024, targets primarily U.S.-based companies, leveraging specialized tools programmed in Rust: MDeployer and MS4Killer. Safe Mode is an operating system’s diagnostic mode designed for troubleshooting, running with minimal functionality to facilitate the isolation of system instabilities. By exploiting this mode, Embargo manages to disable key security defenses, thereby silencing endpoint detection and response mechanisms. ESET researchers have provided critical insights into this group’s modus operandi, highlighting the group’s adeptness at utilizing Safe Mode as a loophole to infiltrate and compromise networks.
The Role of Safe Mode in Embargo’s Attack
Embargo’s initial attack stage hinges on the deployment of MDeployer, a malicious loader designed to decrypt files using an RC4 encryption key, decidedly bypassing standard security protocols. Safe Mode’s reduced functionality plays a pivotal role here as many security solutions are either restricted or entirely non-operational in this mode. This environment confers an unintended benefit to Embargo, providing a less guarded landscape for their operations. The execution of MDeployer, often via a scheduled task labeled “Perf_sys,” proceeds with the decryption of two integral cache files: “a.cache” and “b.cache.” It is in these decrypted states that MDeployer can further mobilize MS4Killer, Embargo’s tailored Endpoint Detection and Response (EDR) killer.
MS4Killer harnesses a technique known as BYOVD (Bring Your Own Vulnerable Driver) to employ a vulnerable signed driver, specifically probmon.sys v3.0.0.4, allowing it to disable other security measures unfettered. This signed driver is exploited to incapacitate defensive software, reinforcing the sanctity of Safe Mode for Embargo’s malware execution. A defining characteristic of MS4Killer is its use of the XOR cipher to obscure key binary components, including logging message strings and encryption keys. The utilization of the Windows API function “OpenProcessToken” underscores the nuanced manipulation of processes, vital for evading security scrutiny. The eventual deployment of the Embargo ransomware payload encrypts files using random six-letter hexadecimal extensions, with each affected directory receiving a ransom note titled “HOW_TO_RECOVER_FILES.txt.”
Double Extortion Strategy and Defensive Evasion
The Embargo group is indicative of a broader trend among modern ransomware factions, both in their technical prowess and their operational strategies. One significant facet of their approach is the double extortion method, which not only encrypts victim data but also threatens to publish it on their leak site. This tactic essentially amplifies the leverage held over victims, potentially forcing quicker ransom payments to prevent sensitive information from becoming public. Communication channels offered by Embargo include their proprietary infrastructure and the Tox protocol, showcasing an advanced operational sophistication that aligns them with other prominent but disrupted groups like BlackCat and LockBit.
Further technical dissection of MS4Killer reveals its adept use of the XOR cipher to conceal various key components, such as logging messages, RC4 encryption keys, and the list of target processes. By exploiting the “CreateServiceW” API for service creation, the malicious tool deploys a vulnerable driver into critical system directories, managed via service aliases like Sysprox, Proxmon, and Sysmon64. This driver is initially encrypted using RC4 and then further obfuscated using XOR encryption for added security. The malware maintains its operation through strategic registry modifications in the HKLM\SYSTEM\ControlSet001\services path, ensuring persistent threats within the host system.
Maintaining Control and Ensuring Persistence
The Embargo group exemplifies a modern trend in ransomware gangs, showcasing both technical skill and sophisticated strategies. A key aspect of their approach is the double extortion technique. This method not only encrypts a victim’s data but also threatens to publish it on their leak site, thus increasing the pressure on victims to pay quickly to avoid public exposure of their sensitive information. Embargo’s communication methods include their proprietary infrastructure and the Tox protocol, highlighting an operational complexity akin to other notable groups like BlackCat and LockBit.
An in-depth analysis of MS4Killer reveals its expert use of the XOR cipher to hide key components such as logging messages, RC4 encryption keys, and targeted processes. By exploiting the “CreateServiceW” API, the malware introduces a vulnerable driver into crucial system directories, using service aliases like Sysprox, Proxmon, and Sysmon64. Initially encrypted with RC4 and further obfuscated with XOR, this driver ensures its continued operation. The malware secures its persistence through registry tweaks in the HKLM\SYSTEM\ControlSet001\services path, maintaining a constant threat within the host system.
