A tool called “Terminator” has appeared on one of the Russian-language hacker forums, which, according to its author, is capable of destroying any anti-virus program (AV), as well as XDR and EDR platforms. Strong statement, isn’t it?
“Terminator” can allegedly bypass a total of 24 different antivirus solutions, Endpoint Detection and Response and Extended Detection and Response solutions on devices with Windows 7 and higher.
The author of the tool, known by the pseudonym “Spyboy”, sells his product from $300 for one type of detection bypass to $3,000 for all types at once.
“The following EDRs cannot be sold separately: SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, Cylance,” the hacker states, adding: “Ransomware and lockers are prohibited and I am not responsible for such actions.”
In order to use Terminator, clients require administrative privileges on the target Windows systems, and therefore it is necessary to somehow trick the user into accepting the Windows User Account Control (UAC) pop-up that will be displayed when the tool is launched. This is already a headache for the client, not for the developer of malicious software.
A CrowdStrike engineer in his post on Reddit found out that “Terminator” is being sold under a louder slogan than it really is. As it turned out, the tool simply dumps a legitimate signed Zemana antivirus driver – “zamguard64.sys” or “zam64.sys” into the “C:WindowsSystem32\” folder of the target system.
After the aforementioned driver is written to disk, “Terminator” loads it to obtain elevated privileges at the kernel level to terminate the processes of antivirus, EDR and XDR programs running on the device.
Currently, only one VirusTotal antivirus scan engine detects this driver as vulnerable. Fortunately, researchers at Nextron Systems have already shared indicators of compromise (IoC) that can help security professionals detect a vulnerable driver used by the Terminator tool before it has time to do harm.
BYOVD attacks are common among attackers who like to inject malicious payloads “without noise and dust.” In these types of attacks, hackers use completely legitimate drivers with valid certificates and the ability to run with kernel privileges, used, of course, for other purposes – to disable security solutions and take over the system.
A wide range of cybercriminal groups have been using this technique for years, from financially motivated gangs to state-backed hacker groups.
In April, we already wrote about similar malware developed by another group of cybercriminals. A hacking tool called AuKill allowed criminals to disable EDR solutions thanks to a vulnerable driver of a legitimate third-party program, Process Explorer, and was even used for a while in LockBit attacks.
We See What Others Cannot
