Spyboy, a threat actor, has been actively advertising the "Terminator" tool on a hacking forum predominantly used by Russian speakers. The tool supposedly possesses the ability to disable various antivirus, XDR, and EDR platforms. However, CrowdStrike has dismissed these claims, stating that the tool is merely an advanced version of the Bring Your Own Vulnerable Driver (BYOVD) attack technique.
According to reports, Terminator allegedly has the capacity to evade the security measures of 24 distinct antiviruses (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) solutions. These include well-known programs such as Windows Defender, targeting devices operating on Windows 7 and later versions.
Spyboy, a seller specializing in software, offers a range of products designed to bypass security measures. Their software is available at various price points, starting at $300 for a single bypass and going up to $3,000 for a comprehensive all-in-one bypass solution.
"The following EDRs cannot be sold alone: SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, Cylance," the threat actor says, with a disclaimer that "Ransomware and lockers are not allowed and I'm not responsible for such actions."
To utilize Terminator, the "clients" need to have administrative privileges on the targeted Windows systems and must deceive the user into accepting a User Account Controls (UAC) pop-up when executing the tool.
However, according to a CrowdStrike engineer's Reddit post, Terminator employs a technique where it places the legitimate and signed Zemana anti-malware kernel driver, known as zamguard64.sys or zam64.sys, into the C:\Windows\System32\ folder with a randomly generated name consisting of 4 to 10 characters.
Once the malicious driver is written to the disk, Terminator loads it to exploit its kernel-level privileges and terminate the user-mode processes of antivirus (AV) and endpoint detection and response (EDR) software running on the targeted device.
The exact method by which the Terminator program interacts with the driver remains unclear. However, a proof-of-concept (PoC) exploit was made available in 2021, which exploits vulnerabilities in the driver to execute commands with Windows Kernel privileges. This capability could be utilized to terminate security software processes that are typically safeguarded.
According to a VirusTotal scan, currently only one anti-malware scanning engine has detected a driver as vulnerable. To assist defenders in identifying this vulnerable driver used by the Terminator tool, Florian Roth, the head of research at Nextron Systems, and threat researcher Nasreddine Bencherchali have shared YARA and Sigma rules that can be used.
This method is commonly employed by threat actors who aim to evade security software on compromised machines. They achieve this by escalating privileges, installing vulnerable Windows drivers, executing malicious code, and delivering additional harmful payloads.
These attacks, known as Bring Your Own Vulnerable Driver (BYOVD) attacks, involve dropping legitimate drivers with valid certificates onto victims' devices. These drivers can operate with kernel privileges, effectively disabling security solutions and taking control of the system.
Various threat groups, including financially motivated ransomware gangs and state-sponsored hacking organizations, have utilized this technique for several years. Recently, security researchers at Sophos X-Ops discovered a new hacking tool called AuKill being used in the wild. This tool disables EDR software by utilizing a vulnerable Process Explorer driver before launching ransomware attacks in BYOVD scenarios.
