Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone - SentinelLabs

Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone


Egregor ransomware is an offshoot of the Sekhmet malware family that has been active since mid-September 2020. The ransomware operates by compromising organizations, stealing sensitive user data, encrypting said data, and demanding a ransom to exchange encrypted documents. Egregor is ransomware associated with the cyberattacks against GEFCO and Barnes & Noble, Ubisoft, and numerous others.

Multiple intelligence and security companies believe that there are ties between past, now defunct, Maze affiliates and Egregor. There have been reports of ties to Sekhmet, ProLock, and LockBit as well (both of which have also been tied to Maze). With regard to Sekhmet, there are deep similarities in the configuration format and obfuscation style. SentinelOne-affiliated security researcher Vitali Kremez noted these similarities in an early November tweet.

As with other modern ransomware groups, the actors behind Egregor exfiltrate victim data and theaten to expose it publically should the victim fail to comply with the ransom demands.

Egregor Distribution Methods

The primary distribution method for Egregor is Cobalt Strike. Targeted environments are previously compromised through various means (RDP exploit, Phishing) and once the Cobalt Strike beacon payload is established and persistent, it is then utilized to deliver and launch the Egregor payloads.

That being said, since Egregor is a RaaS with multiple affiliates, delivery and weaponization tactics can therefore vary. There have been limited and uncorroborated reports of Egregor utilizing CVE-2020-0688 (a remote code execution flaw in Microsoft Exchange). Some sources also report the possible exploitation of CVE-2018-8174 (VBScript Engine), CVE-2018-4878 (Adobe Flash Player) & CVE-2018-15982 (Adobe Flash Player). They have also been shown to use LOTL (Living off the Land) tools  such as bitsadmin to download or update DLL components. In addition, some larger malware families and frameworks such as QBot have been observed distributing Egregor in recent campaigns.

Egregor Payload Analysis

Egregor payloads (DLLs) are highly obfuscated, including Salsa20 encrypted configuration data. File encryption is achieved via a combination of the ChaCha stream cipher and RSA. Each payload contains a RSA-2048 public key.

DLL-based payloads require a key/password upon launch, with that key being specific to each sample. The -p parameter is passed to the payload concatenated with said key. For example, if the key is 123EVILBADGUYS the parameter -p123EVILBADGUYS is required to successfully launch the payload.

This methodology also adds to the malware’s ability to evade analysis by way of humans and dynamic systems. Without the valid key passed, the payload will decrypt incorrectly and fail to launch or terminate. This is a critical point to consider in the context of static and dynamic analysis of Egregor payloads. With no key, voluntary detonation and dynamic analysis become far more complex if not infeasible.

Additional parameters appear to be present in memory when the payloads are launched. Some of these are borderline self-explanatory, while others are still undergoing analysis. We have summarized the parameter usage below where possible.

--full ; encryption of entire system (local & network-accessible), no exclusions
--nonet ; exclude encryption of network drives
--path ; encrypt only specific path in this parameter
--append ; customize the file extension to be used for encrypted files
--norename ; skip the process of renaming encrypted files
--greetings ; directly address target (by victim company name, typically)

Initial analysis of Egregor payloads indicates that the ransomware will avoid encrypting  systems where the primary device language is one of the following:

  • Armenian
  • Azerbaijani
  • Belarusian
  • Georgian
  • Kazakh
  • Kyrgyz
  • Romanian
  • Russian
  • Tajik
  • Tatar
  • Turkmen
  • Ukrainian
  • Uzbek

The primary method of data exfiltration appears to be Rclone, which is an open source utility that can be used to manage remote storage. Egregor payloads depost their own copy of Rclone along with unique configuration data, controlling the exfiltration process.

Post-Compromise Behavior

Egregor maintains a victim blog, which they use to threaten victims and post exfiltrated data in the event that victims fail to comply with their ransom demands. As of November 24th, 2020 there were 152 companies listed on the Egregor blog, spanning numerous industries across the globe. They do not appear to discriminate when it comes to industry or geography. The most frequently represented industries are:

  • Information Technology and Services
  • Construction
  • Retail
  • Consumer Goods
  • Automotive

The Egregor ransom notes follow a familiar template as other ransomware families. Victims are instructed to visit their TOR-based payment portal for further instructions. There is also an encrypted blob at the bottom of each ransom note containing victim-specific system data, along with the encoded RSA public key.





This ‘blob’ includes data pertaining to the victim’s available local drives, the space and total size of those drives, the hostname, the names of any AV or Security products discovered, and the user/domain context. The ‘blob’ is primarily base64-encoded. When decoded the pertinent data is visible at the end of the plaintext.


Egregor is one of the more aggressive and complex ransomware families to hit in the last 6 to 8 months. As with other contemporary threats, the damage being done extends well beyond the cost of the ransom (which you should avoid), and now also includes any penalties associated with data breaches, public posting of private data, GDPR / compliance fallout, and beyond.

The SentinelOne Singularity Platform fully protects our customers from this ransomware and related families.

Indicators of Compromise

SHA256 Hashes

SHA1 Hashes

IP Addresses

Full URL Examples
h t t p://185.238.0[.]233/p.dll
h t t p://185.238.0[.]233/b.dll
h t t p://185.238.0[.]233/sed.dll
h t t p://185.238.0[.]233/hnt.dll
h t t p://185.238.0[.]233/88/k057.exe
h t t p://185.238.0[.]233/

Victim Blog / Archive
h t t p://egregoranrmzapcv[.]onion
h t t p s://egregornews[.]com/

Payment Portal
h t t p://egregor4u5ipdzhv[.]onion/

Indicator Removal on Host: File Deletion T1070.004
Modify Registry T1112
Query Registry T1012
System Information Discovery T1082
Native API T1106
Hijack Execution Flow: DLL Side-Loading T1574.002
Process Injection T1055
Masquerading T1036
System Time Discovery T1124
Archive Collected Data T1560
Virtualization/Sandbox Evasion T1497
Software Discovery: Security Software Discovery T1518.001
Peripheral Device Discovery T1120
Inhibit System Recovery T1490
Create or Modify System Process: Windows Service T1031
Exfiltration TA0010

Ransom Note example (RECOVER-FILES.txt)