'Terminator' tool uses vulnerable Windows driver to kill almost any security software
"Bring Your Own Vulnerable Driver" attacks use legitimate drivers that allow hackers to easily disable security solutions on target systems and drop additional malware on them. This has become a popular technique among ransomware operators and state-backed hackers in recent years, and it looks like malicious actors have found a way to make it work on pretty much any PC running Windows.
A CrowdStrike engineer has revealed a new cybersecurity threat dubbed "Terminator," which is supposedly capable of killing almost any antivirus, Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solution.
"Terminator" is being sold on a Russian hacking forum called Ramp by a malicious actor known as Spyboy, who began advertising the endpoint evasion tool on May 21. The author claims the tool is capable of bypassing the protection measures of no fewer than 23 security solutions, with pricing ranging from $300 for a single bypass to $3,000 for an all-in-one bypass.
Windows Defender is one of the AVs that can be bypassed, and the tool works on all devices running Windows 7 and later versions. According to most estimates, Windows Vista and Windows XP are now running on less than 1 percent of all PCs, meaning Terminator impacts almost all Windows users – even those who don't use a third-party security solution from companies like BitDefender, Avast, or Malwarebytes.
Andrew Harris, who is the Global Senior Director at CroudStrike, explains that Terminator is essentially a new variant of the increasingly popular Bring Your Own Vulnerable Driver (BYOVD) attack. To use it, "clients" need to first gain administrative privileges on the target systems and trick the user into allowing the tool to run via the User Account Control (UAC) pop-up.
Terminator will then drop a legitimate, signed Zemana anti-malware kernel driver into the C:\Windows\System32\drivers\ folder. Normally, the file in question would be named "zam64.sys" or "zamguard64.sys", but Terminator will give it a random name between four and ten characters long. Once this process is complete, the tool will simply terminate any user-mode processes created by antivirus or EDR software.
The exact mechanism behind Terminator isn't known, but a good educated guess is that it works similarly to a proof-of-concept exploit tracked under CVE-2021-31727 and CVE-2021-31728 which allow exposing unrestricted disk read/write capabilities and executing commands using kernel-level privileges.
