'Terminator' tool uses vulnerable Windows driver to kill almost any security software


Posts: 1,349   +27
Staff member
Why it matters: "Bring Your Own Vulnerable Driver" attacks use legitimate drivers that allow hackers to easily disable security solutions on target systems and drop additional malware on them. This has become a popular technique among ransomware operators and state-backed hackers in recent years, and it looks like malicious actors have found a way to make it work on pretty much any PC running Windows.

A CrowdStrike engineer has revealed a new cybersecurity threat dubbed "Terminator," which is supposedly capable of killing almost any antivirus, Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solution.

"Terminator" is being sold on a Russian hacking forum called Ramp by a malicious actor known as Spyboy, who began advertising the endpoint evasion tool on May 21. The author claims the tool is capable of bypassing the protection measures of no fewer than 23 security solutions, with pricing ranging from $300 for a single bypass to $3,000 for an all-in-one bypass.

Windows Defender is one of the AVs that can be bypassed, and the tool works on all devices running Windows 7 and later versions. According to most estimates, Windows Vista and Windows XP are now running on less than 1 percent of all PCs, meaning Terminator impacts almost all Windows users – even those who don't use a third-party security solution from companies like BitDefender, Avast, or Malwarebytes.

Andrew Harris, who is the Global Senior Director at CroudStrike, explains that Terminator is essentially a new variant of the increasingly popular Bring Your Own Vulnerable Driver (BYOVD) attack. To use it, "clients" need to first gain administrative privileges on the target systems and trick the user into allowing the tool to run via the User Account Control (UAC) pop-up.

Terminator will then drop a legitimate, signed Zemana anti-malware kernel driver into the C:\Windows\System32\drivers\ folder. Normally, the file in question would be named "zam64.sys" or "zamguard64.sys", but Terminator will give it a random name between four and ten characters long. Once this process is complete, the tool will simply terminate any user-mode processes created by antivirus or EDR software.

The exact mechanism behind Terminator isn't known, but a good educated guess is that it works similarly to a proof-of-concept exploit tracked under CVE-2021-31727 and CVE-2021-31728 which allow exposing unrestricted disk read/write capabilities and executing commands using kernel-level privileges.

While the author of the tool claims it will only fool 23 security solutions, a VirusTotal analysis shows the driver file used by Terminator is undetected by 71 AVs and EDRs. Only Elastic flagged the file as potentially malicious, but Harris says there are ways to verify if the driver is legitimate by monitoring for uncommon file writes in C:\Windows\System32\drivers.

Alternatively, you can use YARA and Sigma rules created by threat researchers like Florian Roth and Nasreddine Bencherchali to quickly identify the vulnerable driver by hash or name. You can also mitigate against the attack by simply blocking the signing certificate of the Zemana Anti-Malware driver.

Masthead credit: FLY:D

Permalink to story.

No need to worry, this new cybersecurity threat dubbed "Terminator" will be very easy defeated by the new AI which is flooding the markets, or at least will be defeated by AI marketing campaign. :laughing:
So as long as someone doesn't download random drivers or blinding click yes to every UAC prompt it's basically a useless. Got it....
Yeah really. I mean it sounds bad, and it is. But it is indeed pretty much "game over" when you are running some random piece of software as Administrator.

I'm using Linux, but on there if I ran some random piece of software as root it could (using out-of-the-box functionality!) intercept and tamper with network traffic, kill processes, tamper with processes using the stuff in /proc/, use some combination of fuse and overlay file systems or bind mounts to remount any filesystem to go through it so it can tamper with file I/O at will. (And that is WITHOUT doing direct disk I/O or hardware access, which root can also do, /proc has been around since I don't know, maybe even the 1970s; and the network and file I/O tampering would be using well-documented and well-supported functionality that has been in the distros for like 20 years.)

Also (less reliable since your payload would have to match the running kernel version closely enough) load your own naughty kernel modules and even patch existing kernel functionality (several distros support "livepatch", intended so security patches can be applied to a RUNNING kernel, so you can have that system you never want to reboot but still apply security patches to it.... it blocks access to the function to be patched (so if anything is trying to use that function it blocks for a moment), waits for in-progress use of the function to complete, patches it, re-enables access to the now-patched function so anything waiting to use it unblocks and proceeds with it's work... instead of a reboot, you maybe have some stuff pause for like 1/10th of a second. If your stuff is that important you really should be running a hot spare and then you could safely reboot one at a time... but still, very cool if you are going for that mainframe-like uptime.)
Last edited: