Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
ESET Reveals the Dangerous Tandem of MDeployer and MS4Killer.
Researchers from ESET have discovered a new piece of malware created by the Embargo group to deploy the ransomware of the same name. The programs are written in the Rust language, which allows Embargo developers to create universal cross-platform tools for attacking Windows and Linux systems. The system includes the MDeployer bootloader and MS4Killer security disabling software, which are customizable for each individual user, making bypassing security systems more efficient. Special attention is drawn to MS4Killer, which is compiled for each purpose and targets specific security systems, which makes it easier to access corporate data.
The Embargo group first came to ESET's attention in June 2024, and a public mention of it appeared in May of the same year. Experts note that the group's tools are still being finalized: each attack demonstrates unique versions, and also leaves artifacts that indicate that work on the tools is being actively carried out. In July 2024, the first incidents occurred in the United States when updated versions of MDeployer and MS4Killer were used on corporate networks. At the same time, MDeployer's version changed several times during the attack phases, which is likely due to prompt adjustments after the first failed attempt.
MDeployer is the main tool that ensures the launch of MS4Killer and the Embargo ransomware itself. MDeployer decrypts two files, a.cache and b.cache, and uses them to execute malicious code. MS4Killer runs continuously while MDeployer completes the attack by clearing traces, deleting files, and rebooting the system. It is noteworthy that the group actively uses Windows Safe Mode, thus disabling security solutions that are not active in this mode, which simplifies the attack.
A feature of Embargo is the "double extortion" technique: if the victim refuses to pay the ransom, the stolen data is published on a leak site. The group interacts with victims through its own infrastructure and the Tox messenger, putting additional pressure on victims and often ensuring that their demands are met. Experts believe that Embargo functions as a RaaS (ransomware as a service) provider and provides tools for cyberattacks to other cybercriminals, offering partners payouts depending on the outcome of the attacks. Following recent arrests and the cessation of activities of other well-known groups such as BlackCat and LockBit, Embargo has carved out a niche for itself by offering a more flexible and effective approach.
ESET's research also revealed that Embargo tools are prone to bugs and logical errors. For example, one version of MDeployer deleted a payload file and tried to execute the payload file, causing it to crash. These errors explain the presence of different versions of tools in one attack - the team adjusted tools right in the process of attack.
MS4Killer is notable for its use of the BYOVD method, in which vulnerable drivers terminate the processes of protective systems. It continuously monitors and terminates security processes using a vulnerable probmon.sys driver, allowing attackers to bypass security solutions at the kernel level. MS4Killer also hides its activities by applying XOR encryption to string data and using the Rayon Concurrency Library, which distributes process termination tasks into separate threads, improving the effectiveness of the attack.
Embargo's meticulous approach to customizing its tools emphasizes their high level of training and the availability of significant resources.
Source
Researchers from ESET have discovered a new piece of malware created by the Embargo group to deploy the ransomware of the same name. The programs are written in the Rust language, which allows Embargo developers to create universal cross-platform tools for attacking Windows and Linux systems. The system includes the MDeployer bootloader and MS4Killer security disabling software, which are customizable for each individual user, making bypassing security systems more efficient. Special attention is drawn to MS4Killer, which is compiled for each purpose and targets specific security systems, which makes it easier to access corporate data.
The Embargo group first came to ESET's attention in June 2024, and a public mention of it appeared in May of the same year. Experts note that the group's tools are still being finalized: each attack demonstrates unique versions, and also leaves artifacts that indicate that work on the tools is being actively carried out. In July 2024, the first incidents occurred in the United States when updated versions of MDeployer and MS4Killer were used on corporate networks. At the same time, MDeployer's version changed several times during the attack phases, which is likely due to prompt adjustments after the first failed attempt.
MDeployer is the main tool that ensures the launch of MS4Killer and the Embargo ransomware itself. MDeployer decrypts two files, a.cache and b.cache, and uses them to execute malicious code. MS4Killer runs continuously while MDeployer completes the attack by clearing traces, deleting files, and rebooting the system. It is noteworthy that the group actively uses Windows Safe Mode, thus disabling security solutions that are not active in this mode, which simplifies the attack.
A feature of Embargo is the "double extortion" technique: if the victim refuses to pay the ransom, the stolen data is published on a leak site. The group interacts with victims through its own infrastructure and the Tox messenger, putting additional pressure on victims and often ensuring that their demands are met. Experts believe that Embargo functions as a RaaS (ransomware as a service) provider and provides tools for cyberattacks to other cybercriminals, offering partners payouts depending on the outcome of the attacks. Following recent arrests and the cessation of activities of other well-known groups such as BlackCat and LockBit, Embargo has carved out a niche for itself by offering a more flexible and effective approach.
ESET's research also revealed that Embargo tools are prone to bugs and logical errors. For example, one version of MDeployer deleted a payload file and tried to execute the payload file, causing it to crash. These errors explain the presence of different versions of tools in one attack - the team adjusted tools right in the process of attack.
MS4Killer is notable for its use of the BYOVD method, in which vulnerable drivers terminate the processes of protective systems. It continuously monitors and terminates security processes using a vulnerable probmon.sys driver, allowing attackers to bypass security solutions at the kernel level. MS4Killer also hides its activities by applying XOR encryption to string data and using the Rayon Concurrency Library, which distributes process termination tasks into separate threads, improving the effectiveness of the attack.
Embargo's meticulous approach to customizing its tools emphasizes their high level of training and the availability of significant resources.
Source
