A hacking tool called "Terminator" is being promoted by a threat actor named Spyboy on a Russian-language hacking forum. This tool supposedly has the ability to disable various antivirus, Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solutions. However, cybersecurity company CrowdStrike has contradicted these claims, stating that Terminator is merely a sophisticated form of a Bring Your Own Vulnerable Driver (BYOVD) attack. 

Diving into details

According to reports, Terminator has the alleged capability to circumvent 24 different antivirus, EDR, and XDR security solutions, including Windows Defender. 
  • Spyboy, the threat actor behind Terminator, offers the software at varying prices depending on 'single bypass' or a comprehensive 'all-in-one bypass.'
  • In a disclaimer, Spyboy specifies that certain EDRs, such as SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, and Cylance, cannot be sold individually. They also state that they are not responsible for any actions related to ransomware or lockers.

But, is it what it appears to be?

As disclosed by a CrowdStrike engineer in a Reddit post, Terminator simply drops a legitimate and signed Zemana anti-malware kernel driver, named zamguard64.sys or zam64.sys, into the C:\Windows\System32\ directory with a randomly generated name between 4 and 10 characters.
  • Once the malicious driver is written to the disk, Terminator loads it to leverage its kernel-level privileges, enabling the termination of user-mode processes associated with AV and EDR software running on the affected device.
  • To utilize Terminator, clients must possess administrative privileges on the targeted Windows systems and deceive the user into accepting a User Account Controls (UAC) pop-up that appears when executing the tool.
  • This technique is similar to other BYOVD campaigns observed.

The bottom line

Presently, the vulnerable driver used by Terminator is only being identified by a solitary anti-malware scanning engine, as indicated by a VirusTotal scan. Fortunately, Florian Roth, the Head of Research at Nextron Systems, and Nasreddine Bencherchali, a threat researcher, have promptly shared YARA and Sigma rules that enable defenders to detect the vulnerable driver utilized by the Terminator tool. This proactive approach would assist defenders in identifying and mitigating the presence of vulnerable drivers in their systems.
Cyware Publisher

Publisher

Cyware