Embargo Ransomware Actors Abuses Safe Mode To Disable Security Solutions


Safe Mode is an operating system diagnostic mode. It is primarily used to troubleshoot issues by loading only essential “drivers” and “services.”

In Safe Mode, the system operates with minimal functionality, which makes it easier to “isolate the root causes” of system “instability” and “performance” issues.

SIEM as a Service

ESET researchers recently identified that Embargo ransomware actors are actively abusing Safe mode to disable security solutions.

Embargo Ransomware Actors Abuse Safe Mode

Embargo ransomware was first detected in June 2024 using two specialized Rust-programmed tools.

Free Webinar on Protecting Websites & APIs From Cyber Attacks -> Join Here

Here below, we have mentioned those two specialized Rust-programmed tools:-

  • MDeployer (a malicious loader)
  • MS4Killer (an Endpoint Detection and Response killer)

This “RaaS” group specifically targets “US companies” by employing “custom-compiled tools” that are mainly tailored to each victim’s environment. 

MDeployer execution (Source – WeLiveSecurity)

The attack sequence begins when “MDeployer,” which is typically deployed via a “scheduled task” named “Perf_sys” that decrypts two encrypted cache files (“a.cache” and “b.cache”) using an “RC4 encryption key.” 

MDeployer execution flow (Source – WeLiveSecurity)

MDeployer then loads MS4Killer, which exploits a vulnerable signed driver (“probmon.sys” v3.0.0.4) via a technique called “BYOVD” to disable security solutions, ESET said.

After “MS4Killer” successfully compromises the security of the system, the “MDeployer” deploys the Embargo ransomware payload which encrypts files with random “six-letter hexadecimal extensions” (like “.b58eeb”), drops a “ransom note” titled “HOW_TO_RECOVER_FILES.txt” in each encrypted directory, and creates a “mutex” (system synchronization object) named “IntoTheFloodAgainSameOldTrip.” 

Embargo ransom note (Source – WeLiveSecurity)

The group employs a double extortion strategy. In addition, it threatens to publish stolen data on its leak site and offers communication options through its infrastructure and the “Tox protocol.” 

While this illustrates a well-resourced and technically advanced operation that emerged following disruptions to other major ransomware groups like “BlackCat” and “LockBit.”

Besides this, the “MS4Killer” implements a sophisticated encryption strategy using the “XOR cipher” technique to obscure three critical components within its binary code.

The three critical components are “logging message strings,” “an RC4 encryption key (specifically ‘FGFOUDa87c21Vg+cxrr71boU6EG+QC1mwViTciNaTUBuW4gQbcKboN9THK4K35sL’),” “a list of target process names.”

When deployed, it utilizes the Windows API function “OpenProcessToken” for process manipulation and incorporates a custom decryption function to reveal these hidden strings. 

The tool operates by deploying a vulnerable driver named ‘probmon.sys’ to two specific locations (“C:WindowsSystem32driversSysprox.sys” or “C:WindowsSysmon64.sys”) that are managed via three service aliases:- 

This driver is initially stored as an “RC4-encrypted blob” which is further secured using “XOR encryption.” 

The primary function of the malware involves continuously monitoring and terminating security software processes by using the “SeLoadDriverPrivilege” for driver management and employing the “CreateServiceW” API for service creation.

However, this is done while maintaining its operations via “strategic registry modifications” in the “HKLMSYSTEMControlSet001services” path.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here



Source link