New ‘Terminator’ Cybersecurity Threat Puts Windows Users at Risk

0
30
hacker terminator.jpg
hacker terminator.jpg

In the field of cybersecurity, a new threat has emerged that could affect millions of Windows users. Dubbed “Terminator”, this malicious tool uses a vulnerable Windows driver to disable virtually any security software, including antivirus and endpoint detection and response solutions. The emergence of this attack method raises serious concern for users, as it has become a popular technique among ransomware operators and state-backed hackers in recent years.

The Terminator threat and how it works

“Terminator” is being sold on a Russian hacking forum known as Ramp, by a malicious individual identified as Spyboy. This vendor claims that the tool is capable of bypassing the protection measures of at least 23 security solutions, with prices ranging from $300 for a single attack to $3,000 for a full attack.

In order to use this tool, the attackers first need to gain administrative privileges on the target systems and trick the user into allowing the tool to run via a User Account Control (UAC) popup window. Once running, “Terminator” inserts a legitimate kernel driver signed by Zemana Anti-Malware into the C:WindowsSystem32drivers folder. What’s new is that the file is given a random name between four and ten characters. The tool then simply kills any user-level processes created by antivirus or EDR software.

Extensive affectation and Terminator detection

The impact of “Terminator” is significant, as it works on all devices running Windows 7 and later, which covers virtually all Windows users today. Even those who do not use third-party security solutions, such as BitDefender, Avast, or Malwarebytes, are at risk of being affected, as even Windows Defender, Microsoft’s native antivirus, can be bypassed by this threat.

SEE ALSO  We tested the cheapest folding smartphone in Spain, the ZTE Nubia Flip 5G

Although the author of the tool claims that it can fool only 23 security solutions, a VirusTotal analysis reveals that the driver file used by “Terminator” is not detected by 71 antivirus and EDR solutions. Only Elastic has identified the file as potentially malicious. However, experts suggest that YARA and Sigma rules created by threat researchers can be used to identify the vulnerable driver by its hash or name, or block the Zemana Anti-Malware driver signing certificate to mitigate this type of attack. .

The emergence of threats such as “Terminator” underscores the importance of online security and the need for users to take appropriate measures to protect their systems and data. Cybercrime is constantly evolving, and hackers are always looking for new ways to get around security defenses. It is essential that users keep their operating systems and security software up to date, implement safe browsing practices, and be alert for potential signs of malicious activity. Furthermore, companies and software developers must continue to improve their security solutions to deal with these emerging threats and protect their users effectively.