One of the Russian -speaking hacker forums appeared a tool called “Terminator”, which, according to its author, is able to destroy any antivirus program (AV), as well as the XDR and EDR platform. A strong statement, isn’t it?
“Terminator” supposedly can bypass 24 different antivirus solutions, Endpoint Detection and Response and Extended Detect Ion and Response solutions for devices with Windows 7 and above.
The author of the instrument, known under the pseudonym “Spyboy”, sells its product from $ 300 per type of detection of detection up to 3,000 dollars for all types at once.
“The following EDR cannot be sold separately: Sentinelone, Sophos, Crowdstrike, Carbon Black, Cortex, Cylance,” the hacker says, adding: “Excessive software and elbers are prohibited, and I am not responsible for such actions.”
Terminator use administrative privileges on Windows target systems, in connection with which it is necessary to somehow deceive the user so that he accepts a pop-up window “Windows (UAC) control (UAC), which will be displayed when starting the tool. This is already a headache of the client, not the developer of malicious software.
engineer of Crowdstrike in my post on Reddit found out on the Reddit. that “terminator” is sold under A loud slogan than is actually. As it turned out, the tool simply dumps into the “C: Windows System32 “ target system, the legitimate signed Zemana antivirus driver – “zamguard64.sys” or “zam64.sys”.
After the aforementioned driver is recorded on the disk, “Terminator” loads it to obtain increased privileges at the nucleus level to complete the processes of antiviruses, EDR and XDR programs working on the device.
Currently, this driver is found only by one scanning engine of the Virustotal antivirus as vulnerable. Fortunately, Nextron Systems researchers have already shared compromise indicators (IOC), which can help security specialists detect a vulnerable driver used by the Terminator tool before it has time to harm.
byovd attacks are common among attackers who like to introduce harmful beneficial loads “without noise and dust.” In such attacks, hackers use absolutely legitimate drivers with real certificates and capable of working with nucleus privileges used, of course, for not their purpose – to turn off the safety solutions and capture the system.
A wide range of cybercrime groups has been using this technique for many years, starting with financial and motivated gangs, ending with hacker groups supported by the state.
In April, we already wrote about such a malicious software developed by another group of attackers. A hacker tool called Aukill allowed criminals to disable EDR solutions thanks to the vulnerable driver of the legitimate third-party program of Process Explorer and even for some time was used in Lockbit attacks.