Terminator Antivirus Killer is a Vulnerable Windows Driver in Disguise

Cyber Security Threat Summary:
“A threat actor known as Spyboy is promoting a tool called "Terminator" on a Russian-speaking hacking forum that can allegedly terminate any antivirus, XDR, and EDR platform. However, CrowdStrike says that it's just a fancy Bring Your Own Vulnerable Driver (BYOVD) attack” (Bleeping Computer, 2023).

The malware is able to bypass 24 different antivirus solutions, endpoint detection and response solutions, and extended detection and response solutions. These include Windows Defender on devices running Windows 7 and later.

The software can be purchased for a singular bypass for around $300, with an all-in-one bypass option for $3,000. "The following EDRs cannot be sold alone: SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, Cylance," the threat actor says, with a disclaimer that "Ransomware and lockers are not allowed and I'm not responsible for such actions."

Security Officer Comments:
Terminator does require some initial access, the threat actor must have administrative privileges on the targeted Windows systems, and will have to trick the user into accepting a User Account Controls (UAC) pop-up that will display when running the tool. However, as a CrowdStrike engineer revealed in a Reddit post, Terminator just drops the legitimate, signed Zemana anti-malware kernel driver named zamguard64[.]sys or zam64[.]sys into the C:\Windows\System32\ folder with a random name between 4 and 10 characters.

Once the driver is written onto the disk, Terminator loads it to use it’s kernel level privileges to kill off the user-mode processes for AV and EDR software running on the device. It still remains unclear how Terminator is interfacing with the driver. There is however a proof of concept exploit that was released in 2021, that exploits a flaw in the driver to execute commands with Window Kernel privileges, it is unconfirmed if this is being used.

The researchers say, at this time, only one anti-malware scanning engine was able to detect the vulnerable driver.

Suggested Correction(s):
Nextron Systems head of research Florian Roth and threat researcher Nasreddine Bencherchali have already shared YARA and Sigma (by hash and by name) rules that can help defenders detect the vulnerable driver used by the Terminator tool.

Bring Your Own Vulnerable Driver attacks (BYOVD) are not new, many threat actors are using similar techniques to bypass security software running on compromised machines. Legitimate drivers signed with valid certificates and capable of running with kernel privileges are dropped on the victims' devices to disable security solutions and take over the system. A wide assortment of threat groups have used the technique for years, ranging from financially-motivated ransomware gangs to state-backed hacking outfits.

More recently, Sophos X-Ops security researchers have spotted a new hacking tool dubbed AuKill used in the wild to disable EDR software with the help of a vulnerable Process Explorer driver before deploying ransomware in BYOVD attacks.

Link(s):
YARA Rules: https://github.com/magicsword-io/LOLDrivers/blob/main/detections/yara/yara-rules.yar