Additionally, MDeployer uses a hardcoded string 8.8.8.8 for DNS resolution. It also sets a registry key HKLM\SYSTEM\CurrentControlSet\Services\sysmon to 1. We assume that this is an attempt to disable the Sysmon service, but the service name is hardcoded and may vary between environments.
Before execution, MDeployer checks the environment for a mutex named E1D2F3G4H5. If the mutex exists, the loader exits. This mutex was present in all MDeployer samples we’ve seen.
After execution, MDeployer logs its actions in C:\Windows\sysmon.log and C:\Windows\sysmon-error.log. The first file contains information about executed commands, while the second logs errors. These files were present in all versions observed. Figure 4 shows a snippet from the log file.
Figure 4. MDeployer log file snippet
MS4Killer
MS4Killer is a custom EDR killer used by the Embargo group. It is responsible for disabling specific security solutions running on the victim’s machine to ensure the success of the ransomware attack.
Based on its name, MS4Killer is likely named after Microsoft Security Solutions, suggesting that it is specifically tailored to target Microsoft’s security products.
MS4Killer is custom compiled for each victim’s environment, making it more difficult for security solutions to detect and block its activities. It is designed to terminate processes related to security software, allowing the ransomware to operate without interference.
During our analysis, we observed that MS4Killer is decrypted and executed by MDeployer as part of the ransomware deployment process. Once it has completed its task of disabling security solutions, MS4Killer is terminated by MDeployer before the ransomware payload is executed.
Overall, the use of MS4Killer by the Embargo group demonstrates their sophistication and dedication to evading security measures in order to carry out successful ransomware attacks.
as an informative article:
ESET researchers have recently uncovered new Rust-based tooling linked to the deployment of Embargo ransomware. Embargo, a relatively new player in the ransomware landscape, was first detected by ESET in June 2024. The toolkit includes a loader named MDeployer and an EDR killer known as MS4Killer. Notably, MS4Killer is customized for each victim’s environment, targeting specific security solutions. Both tools are written in Rust, the preferred programming language of the Embargo group for developing ransomware.
Key points highlighted in the article include the active development and testing of new Rust-based tools by Embargo, the group’s exploitation of Safe Mode to disable security solutions, and the customization of tools for each victim.
In July 2024, ransomware incidents targeting US companies showcased the utilization of these new tools by the threat actor behind Embargo. Variations in the deployed versions of MDeployer and MS4Killer, along with bugs and leftover artifacts, indicate ongoing development of these tools.
Embargo, which surfaced in May 2024 after being initially observed by ESET in June 2024, stands out for its use of Rust as a programming language for ransomware. The group’s modus operandi suggests a well-resourced entity that engages in double extortion tactics and operates as a Ransomware-as-a-Service (RaaS) provider. Recent disruptions in the RaaS space have paved the way for sophisticated new actors like Embargo to emerge.
The article provides insights into the characteristics of Embargo ransomware payloads, such as the unique six-letter extension added to encrypted files and the creation of specific mutexes. The group’s choice of mutex names based on popular rock song lyrics is also highlighted.
MDeployer, the primary loader used by Embargo, plays a crucial role in facilitating the deployment of MS4Killer and the ransomware payload. It decrypts and executes these payloads, ensuring the encryption of files on the victim’s system. MDeployer’s interaction with various files and its actions, including disabling the Sysmon service, are detailed in the article.
MS4Killer, as an EDR killer developed by Embargo, is tailored to disable specific security solutions, particularly those from Microsoft. Custom compiled for each victim, MS4Killer aims to eliminate security software processes to pave the way for successful ransomware attacks. The article emphasizes the sophistication and customization of MS4Killer by the Embargo group.
Overall, the article sheds light on the evolving tactics and tools used by Embargo ransomware operators, underscoring the need for enhanced cybersecurity measures to combat such threats.
Files manipulated by MDeployer
Path
Description
C:\Windows\Debug\b.cache
RC4-encrypted MS4Killer.
C:\Windows\Debug\a.cache
RC4-encrypted Embargo ransomware.
C:\Windows\praxisbackup.exe
Decrypted MS4Killer.
C:\Windows\Debug\pay.exe
Decrypted Embargo ransomware.
C:\Windows\Debug\fail.txt
Log file.
C:\Windows\Debug\stop.exe
Dummy file used for control flow.
C:\Windows\Sysmon64.sys
Legitimate vulnerable driver dropped by MS4Killer.
Safe Mode abuse
With only one exception among the incidents we investigated, where we saw it deployed as a DLL, MDeployer was compiled as an EXE file. The DLL variant contains the additional capability to disable security solutions.
For an overview of the DLL execution flow, refer to Figure 4.
Figure 4. DLL MDeployer execution flow
The first difference happens right at the beginning of the DLL execution – this version actually checks whether the file stop.exe exists. The existence of this file means that MDeployer was already executed in the past and either it successfully deployed the ransomware payload or it exited with an error. So, if the file is found, the loader only does its cleanup routine and exits. Note that the EXE versions create the stop.exe file, but never check for its existence.
The next thing the DLL version of MDeployer does is to check whether it was executed with admin privileges. If it wasn’t, it goes on exactly like the EXE version. In fact, the EXE versions were likely compiled using the source code of this single execution branch.
However, if it was executed with admin privileges, the loader attempts to reboot the victim’s system into Safe Mode in order to disable selected security solutions.
Safe Mode, a diagnostic mode of the Windows OS, runs the system with only minimal functionality. Because of this, most cybersecurity measures and protections are not in effect in Safe Mode, which provides an opportunity for threat actors to exploit it to avoid detection. This technique is known among mature ransomware groups and has been abused in the past, as reported by Forbes in 2022.
The security-disabling functionality happens in two steps.
Step 1
The purpose of the first step is to reboot the system into Safe Mode. The loader achieves this using a combination of Windows command line tools bcdedit, sc, and reg to:
set Safe Mode as the default boot mode,
disable Windows Defender in Safe Mode,
create a service, irnagentd, that executes the loader after the system is rebooted into Safe Mode, and
Once in Safe Mode, the loader disables selected security tools by renaming their installation directories, then executes the Embargo ransomware payload.
After that, it does a “Safe Mode cleanup” – it deletes the decrypted ransomware file pay.exe, creates the control flow file stop.exe to prevent double encryption, deletes the persistence service irnagentd, and reboots the system back into normal mode.
BAT disabler
In one of the incidents, we also saw the extra functionality of the DLL loader implemented as a BAT script. This script targets a single security solution – a theme you will encounter again, later in this article. It used the same technique of rebooting into Safe Mode with the help of a persistence service, irnagentd, and then renaming the installed security software’s installation directory. It even used the same stop.exe file for control flow and logged error messages into fail.exe (fail.txt in MDeployer).
This again shows that Embargo modifies its tools to suit each victim’s environment.
Logging
In case MDeployer encounters any errors, it logs error messages into the file fail.txt and then creates the file stop.exe.
There are four stages that the attacker distinguishes in their log messages – they use a different prefix for logging errors in each of them:
[dec] – payload decryption,
[exec] – ransomware execution,
[execk] – MS4Killer execution, and
[kler] – MS4Killer run (this prefix is used when MS4Killer exits unexpectedly).
In the DLL version there are additional log message prefixes compared to the EXE versions:
[sc], [sc delete] – creating or deleting the service irnagentd,
[reg], [reg-del] – modifying Windows registry, and
[setsb] – using the bcdedit.exe command line tool to set Safe Mode on next restart.
Cleanup
MDeployer has several variants of a cleanup routine launched at different occasions.
After successfully executing the ransomware payload, the loader proceeds with cleanup tasks, terminating the MS4Killer process, deleting decrypted payloads and the vulnerable driver dropped by MS4Killer, and creating the flow control file stop.exe. If any errors occur during loader execution, the same cleanup routine is triggered.
If the cleanup routine is initiated due to the presence of stop.exe, MDeployer also removes its own PE file before rebooting the system using the command shutdown -r -f -t 00.
The loader’s persistence is maintained through a scheduled task named Perf_sys, created by an elevated system user BITCH\Administrator. Additionally, in one instance, a PowerShell script similar to WinRM-fs was used to execute MDeployer, indicating potential use of similar tools for loader delivery.
The loader samples show signs of active development, with inconsistencies and messy control flow suggesting ongoing improvements. MDeployer’s deletion of the vulnerable driver dropped by MS4Killer indicates coordinated development between the two tools, despite some overlapping functionalities.
There are bugs in the DLL version of the loader that hinder its functionality, leading to multiple versions being used in a single incident as the threat actor adapts to problems encountered during operations.
MS4Killer, a defense evasion tool inspired by s4killer, terminates security processes using the BYOVD technique. It runs in a loop scanning for processes to terminate, with encrypted strings and an embedded vulnerable driver abused for kernel-level code execution.
The BYOVD technique utilized by MS4Killer involves exploiting the vulnerable driver probmon.sys, version 3.0.0.4, signed by a revoked certificate from ITM System Co.,LTD. The driver is embedded in MS4Killer as an encrypted blob, with its misuse reported to Microsoft.
String decryption techniques are used by MS4Killer to hide embedded strings, such as log messages and process names, XOR encrypting them for obfuscation. The decryption process involves XOR operations to reveal the concealed information within the binary. We have identified two different file paths where MS4Killer drops the vulnerable driver:
Figure 9. Decryption and dropping of vulnerable driverprobmon.sys
The loading of the driver aligns with the behavior of s4killer:
Enabling the SeLoadDriverPrivilege necessary for loading and unloading device drivers,
Creating a service via CreateServiceW,
Creating additional registry keys, required for filter loading, in HKLM\SYSTEM\ControlSet001\services\<service_name>, and
Loading a minifilter driver into the system via FilterLoad.
So far, we have observed MS4Killer using three different service names: Sysprox, Proxmon, and Sysmon64.
Hidden process list
MS4Killer continuously checks running processes against an embedded list of security software process names, which are also XOR-encrypted. Right after the driver loads, MS4Killer decrypts the list of process names (Figure 10).
Figure 10. Example of the encrypted, embedded security software process names from one MS4Killer sample
These process names correspond to processes from various security products (see also Appendix: Example of MS4Killer termination process list). The code snippet in Figure 10 reveals duplicates in the process names (like ekrn.exe), some decrypted strings pointing to the same location (referencing variables hHandle, Luid, and lpMem), and one dummy process name: firefox.exe. Furthermore, by following the cross-references of decrypted string variables, we find comparison logic where only a subset of process names is utilized. Figure 11 displays a code snippet where, in one instance, only process names ERAAgent.exe and ekrn.exe, from ESET products, are compared against the running processes. Examination of multiple MS4Killer samples indicates that, in each breach, only processes from a specific security solution are monitored, despite the embedded process list containing names from multiple security products.
Figure 11. Decision logic determining which processes are terminated
There is evidence suggesting that MS4Killer samples were compiled shortly before the actual attacks and targeted only the security solution protecting the victim’s machine.
Conclusion
In this blog post, we have analyzed new Rust tools named MDeployer and MS4Killer, actively utilized by the ransomware group Embargo. Embargo, a newcomer in the ransomware landscape, aims to rival established gangs and is believed to offer RaaS services.
The primary goal of the Embargo toolkit is to ensure the successful deployment of ransomware by disabling the victim’s security solution. This is evident as the same security-solution-disabling functionality is present at various stages of the attack (BAT script, MDeployer, and MS4Killer). The attackers demonstrate the ability to adapt their tools on the fly during an active intrusion, targeting specific security solutions.
Both MDeployer and MS4Killer are coded in Rust, the same language used for the ransomware payload, indicating a preference for Rust among the group’s developers. During one incident, two versions of MDeployer were deployed, with logical bugs affecting tool functionality. The quick adjustments made to the tools during intrusions, along with the close compilation timestamps to intrusion times, suggest that the attacker can rapidly modify and recompile their tools as needed.
For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. If you have any questions regarding this service, feel free to check out the ESET Threat Intelligence page for more information.
IoCs
Files
SHA-1
Filename
Detection
Description
A1B98B1FBF69AF79E5A3F27AA6256417488CC117
dtest.dll
Win64/Agent.ECY
MDeployer – loader deploying MS4Killer and Embargo ransomware.
If you want to delve deeper into the technical details, visit the ESET Threat Intelligence page for a comprehensive overview.
MITRE ATT&CK techniques
Appendix: Example of MS4Killer termination process list (in alphabetical order)
For more insights and detailed information, make sure to explore the ESET Threat Intelligence page. text in a more concise form. sentence to make it more concise:
“His intention was to arrive at the meeting on time.”
