Researchers have identified new Rust-based tools used by Embargo ransomware, where the toolkit includes MDeployer and MS4Killer, which are custom-compiled to target specific security solutions.
MS4Killer is particularly notable for its tailored approach to disabling EDR protections, and both the tools are written in Rust, indicating Embargo’s preference for this programming language.
MDeployer deploys MS4Killer and Embargo ransomware, where MS4Killer disables security products using a vulnerable driver. The tools are actively developed and have been observed in multiple ransomware incidents.
While Embargo, a new ransomware group, uses Rust to develop versatile ransomware targeting both Windows and Linux, which operates as a RaaS provider, using double extortion and a leak site to pressure victims into paying.
MDeployer, a malicious loader used by Embargo ransomware, decrypts and executes MS4Killer, an EDR killer, and the ransomware payload itself, which creates a driver file and logs its activity to a file named ms4killer.log.
The DLL version of MDeployer checks for the existence of the stop.exe file before proceeding. If found, it performs cleanup and exits, indicating a previous successful or unsuccessful deployment attempt, which differs from the EXE versions, creating stop.exe but don’t check for it.
It also checks for admin privileges, and if granted, it attempts to reboot the system into Safe Mode to disable security solutions, which is known among ransomware groups and has been exploited in the past.
The loader first configures the system to boot into Safe Mode and disables Windows Defender. Then, it executes the ransomware payload in Safe Mode, disables security tools, and cleans up after the attack by removing unnecessary files and services before rebooting the system back into normal mode.
The BAT script, acting as a DLL loader, targets a specific security solution by leveraging the irnagentd persistence service to reboot into Safe Mode and renames the security software’s installation directory.
MDeployer’s cleanup routine, triggered by successful payload execution or loader errors, terminates MS4Killer, removes decrypted payloads and vulnerable drivers, creates a stop file, and optionally self-deletes.
It was persistently executed by a scheduled task, Perf_sys, created by a privileged user, which triggered the execution of the loader, potentially delivered by a tool like WinRM-fs.
The loader samples have bugs, suggesting development, as MDeployer and MS4Killer overlap and have issues, where MS4Killer, inspired by s4killer, is a BYOVD-based defense evasion tool.
MS4Killer terminates targeted processes using a vulnerable driver, which scans for running processes matching a hardcoded list with an encrypted driver and strings. To evade detection, it spawns itself as a child process and uses multiple threads.
MS4Killer hides strings using XOR encryption, decrypts them on API failure, and outputs them with errors by containing an RC4-encrypted driver blob, which is also XOR encrypted, and is dropped to a system directory.
According to ESET researchers, it loads the driver using standard techniques, including enabling privileges, creating services, and modifying registry keys by embedding a list of encrypted process names from multiple security products.
Upon loading, it decrypts these names and compares them against running processes. However, only a subset of these names are actually used to terminate processes, suggesting that MS4Killer is tailored to target specific security solutions.