Why it matters: “Bring Your Own Vulnerable Driver” attacks use legitimate drivers that allow hackers to easily disable security solutions on target systems and drop additional malware on them. This has become a popular technique among ransomware operators and state-backed hackers in recent years, and it looks like malicious actors have found a way to make it work on pretty much any PC running Windows.
A CrowdStrike engineer has revealed a new cybersecurity threat dubbed “Terminator,” which is supposedly capable of killing almost any antivirus, Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solution.
“Terminator” is being sold on a Russian hacking forum called Ramp by a malicious actor known as Spyboy, who began advertising the endpoint evasion tool on May 21. The author claims the tool is capable of bypassing the protection measures of no fewer than 23 security solutions, with pricing ranging from $300 for a single bypass to $3,000 for an all-in-one bypass.
Windows Defender is one of the AVs that can be bypassed, and the tool works on all devices running Windows 7 and later versions. According to most estimates, Windows Vista and Windows XP are now running on less than 1 percent of all PCs, meaning Terminator impacts almost all Windows users – even those who don’t use a third-party security solution from companies like BitDefender, Avast, or Malwarebytes.
Andrew Harris, who is the Global Senior Director at CroudStrike, explains that Terminator is essentially a new variant of the increasingly popular Bring Your Own Vulnerable Driver (BYOVD) attack. To use it, “clients” need to first gain administrative privileges on the target systems and trick the user into allowing the tool to run via the User Account Control (UAC) pop-up.
Terminator will then drop a legitimate, signed Zemana anti-malware kernel driver into the C:\Windows\System32\drivers\ folder. Normally, the file in question would be named “zam64.sys” or “zamguard64.sys”, but Terminator will give it a random name between four and ten characters long. Once this process is complete, the tool will simply terminate any user-mode processes created by antivirus or EDR software.
The exact mechanism behind Terminator isn’t known, but a good educated guess is that it works similarly to a proof-of-concept exploit tracked under CVE-2021-31727 and CVE-2021-31728 which allow exposing unrestricted disk read/write capabilities and executing commands using kernel-level privileges.
While the author of the tool claims it will only fool 23 security solutions, a VirusTotal analysis shows the driver file used by Terminator is undetected by 71 AVs and EDRs. Only Elastic flagged the file as potentially malicious, but Harris says there are ways to verify if the driver is legitimate by monitoring for uncommon file writes in C:\Windows\System32\drivers.
Alternatively, you can use YARA and Sigma rules created by threat researchers like Florian Roth and Nasreddine Bencherchali to quickly identify the vulnerable driver by hash or name. You can also mitigate against the attack by simply blocking the signing certificate of the Zemana Anti-Malware driver.
Masthead credit: FLY:D