Full Report
Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit
Analysis Summary
# Tool/Technique: MDeployer and MS4Killer (Embargo Ransomware Toolkit)
## Overview
MDeployer and MS4Killer are custom Rust-based tools developed and deployed by the novice ransomware group **Embargo**. MDeployer functions as a malicious loader designed to deploy MS4Killer (an EDR killer) and the Embargo ransomware payload. MS4Killer is specifically notable for being custom-compiled for each victim to target only selected security solutions, utilizing a vulnerable driver to disable endpoint protection.
## Technical Details
- Type: Malware (Loader and EDR Killer)
- Platform: Windows (Implied by driver usage and EDR targeting)
- Capabilities: Decrypting and executing secondary payloads (MS4Killer, Embargo ransomware), process termination, registry modification, system rebooting, and disabling security solutions.
- First Seen: June 2024 (Embargo observed by ESET). New toolkit deployed starting July 2024.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify Tools (MDeployer, MS4Killer, and a BAT script disable security solutions)
- T1562.009 - Safe Mode Boot (MDeployer and a BAT script reboot into Safe Mode)
- **TA0002 - Execution**
- T1053.005 - Scheduled Task/Job (Used to run MDeployer)
- T1569.002 - System Services: Service Execution (Uses a Windows service to execute MDeployer in Safe Mode)
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Modifies registry to start a custom service in Safe Mode)
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery (Performed by ransomware payload)
- T1135 - Network Share Discovery (Performed by ransomware payload)
- **TA0004 - Privilege Escalation**
- T1112 - Modify Registry (MS4Killer modifies the registry to load a legitimate vulnerable driver)
- **TA0011 - Command and Control**
- T1059.001 - Command-Line Interface: PowerShell (Used to transfer MDeployer)
- **TA0040 - Impact**
- T1486 - Data Encrypted for Impact (Performed by Embargo ransomware)
- T1490 - Inhibit System Recovery (Disables automatic Windows recovery)
## Functionality
### Core Capabilities
**MDeployer (Loader):**
1. Decrypts two files (`a.cache` and `b.cache`) dropped by a previous stage using a hardcoded RC4 key.
2. Decrypts and executes MS4Killer first, saving it as `praxisbackup.exe`.
3. Decrypts and executes the Embargo ransomware payload second, saving it as `pay.exe`.
4. Verifies MS4Killer is running (expecting `WAIT_TIMEOUT` from `WaitForSingleObject`). If MS4Killer exits early, MDeployer logs an error and terminates without executing ransomware.
5. Performs cleanup: terminates MS4Killer, deletes decrypted payloads and the driver file dropped by MS4Killer, and finally reboots the system.
**MS4Killer (EDR Killer):**
1. Custom-compiled for the victim’s environment.
2. Disables security solutions, notably by abusing a vulnerable driver.
3. Modifies the registry to load the vulnerable driver.
### Advanced Features
- **Rust Development:** Both tools are written in Rust, indicating the group's preference and capability for cross-platform development (Embargo ransomware is also Rust-based).
- **Victim Tailoring:** MS4Killer is custom-compiled for each victim, suggesting automation or specific configuration based on preliminary discovery of installed security products (e.g., SentinelOne, Cylance, McAfee/VirusScan Enterprise [WRSA/WR].
- **Safe Mode Abuse:** The overall toolkit leverages Safe Mode (via a service execution and an accompanying BAT script) to gain supremacy over security products.
## Indicators of Compromise
- File Hashes: (Not provided in the text)
- File Names: `praxisbackup.exe` (For decrypted MS4Killer), `pay.exe` (For decrypted ransomware payload).
- Registry Keys: Modified to start a custom service in Safe Mode (Persistence). Registry modifications used by MS4Killer to load a vulnerable driver.
- Network Indicators: The group utilizes its own infrastructure and allows communication via Tox (Defanged: hkp://tox.link).
- Behavioral Indicators: Attempting to reboot the system into Safe Mode. Termination of specific EDR services/processes (e.g., `SentinelAgent.exe`, `MsMpEng.exe`, `CylanceSvc.exe`, `ekrn.exe`). RC4 decryption activity on cached files.
## Associated Threat Actors
- Embargo (Novice ransomware group, suspected to operate as RaaS).
## Detection Methods
- **Signature-based detection:** Signatures for the file names `praxisbackup.exe` and `pay.exe` upon execution.
- **Behavioral detection:** Detection of MDeployer’s logic: decrypting files, executing one payload (EDR killer), waiting for confirmation, then executing the second payload (ransomware), followed by cleanup and system reboot command.
- **YARA rules:** (Not provided in the text)
## Mitigation Strategies
- **Prevention measures:** Hardening systems to prevent initial access and execution of MDeployer (often via PowerShell or Scheduled Tasks). Implementing strong application control policies.
- **Hardening recommendations:** Disable or restrict Windows services capable of launching processes into Safe Mode. Regularly patch systems against vulnerable drivers used for disabling security controls. Review registry persistence keys related to starting services/applications during boot.
## Related Tools/Techniques
- Embargo Ransomware (The final payload executed by MDeployer).
- Other Rust-based ransomware families: BlackCat, Hive.