MS4killer

MS4Killer is a highly sophisticated malware that was observed in ransomware incidents targeting US companies in July 2024. It is part of a new toolkit developed by the Embargo group, which includes MDeployer, a loader designed to deploy Embargo's ransomware and other payloads, and MS4Killer, an Endpoint Detection and Response (EDR) killer. This malware is custom compiled for each victim's environment, targeting selected security solutions, thereby increasing its potency. The toolkit appears to be under active development, as evidenced by slight variations in the versions of MDeployer and MS4Killer observed during different intrusions. The MS4Killer malware operates by disabling security products using a technique known as bring your own vulnerable driver (BYOVD). Once deployed on a compromised system, the MDeployer tool decrypts and executes the MS4Killer payload, followed by the Embargo ransomware. It then proceeds to execute two payloads, MS4Killer and Embargo ransomware, and decrypts two encrypted files, a.cache and b.cache, that were dropped by an unknown previous stage. After the ransomware finishes encrypting the system, MDeployer terminates the MS4Killer process, deletes the decrypted payloads and a driver file dropped by MS4Killer, and reboots the system. Both MDeployer and MS4Killer are written in Rust, suggesting it is the preferred programming language for the group's developers. MS4Killer appears to have been inspired by a proof-of-concept tool named s4killer, but the functionality has been enhanced by Embargo to make it more effective in real-world attacks. MS4Killer poses a significant threat due to its ability to evade defense mechanisms, terminate security product processes from the kernel by installing and abusing a vulnerable driver stored in a global variable, and its tailored approach to each victim's environment.