News

“Antivirus killer” from hacker forums turned out to be a variation of a BYOVD attack

Security Parrot Editorial Team

Terminator: A BYOVD Attack That Can Bypass 24 Different Antiviruses

A tool called Terminator is being distributed on Russian-language hack forums by a seller known as Spyboy. The seller claims that Terminator is capable of stopping any antivirus, XDR, and EDR platform, but experts from CrowdStrike have come to the conclusion that it is actually a Bring Your Own Vulnerable Driver (BYOVD) attack. BYOVD attacks involve the use of legitimate drivers that are signed with valid certificates and can run with kernel privileges. These drivers are dropped on victims’ devices to disable security solutions and eventually take over the system.
Spyboy claims that Terminator is able to bypass 24 different antiviruses, as well as EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response) solutions, including Windows Defender on devices running Windows 7 and later. The author estimates the cost of Terminator at $300 to bypass a single security solution, and $3,000 for the full version. Spyboy also emphasizes that ransomware and blockers are prohibited, and he is not responsible for such actions.
In order to use Terminator, malicious actors will need administrative privileges on the target Windows systems, and they will also need to trick the user into allowing the tool to run in the User Account Controls (UAC) window that will be displayed on startup.
Researchers from CrowdStrike have found that Terminator simply places a legitimate signed Zemana kernel driver (zamguard64.sys or zam64.sys) in the C:\Windows\System32\ folder under a random name of 4 to 10 characters. When the malicious driver is written to disk, Terminator loads it and uses kernel-level privileges to terminate the user-mode processes of the antivirus and security software running on the device.
A PoC exploit was released back in 2021 that uses flaws in drivers to execute commands with Windows kernel privileges, and this can be used to terminate anti-malware processes. According to VirusTotal, the currently used driver is detected as vulnerable and potentially malicious by only one antivirus engine. However, experts from Nextron Systems have already shared YARA and Sigma rules (by hash and by name) that will help defenders detect the vulnerable driver used by Terminator.

What is BYOVD Attack?

A Bring Your Own Vulnerable Driver (BYOVD) attack is a type of attack that involves the use of legitimate drivers that are signed with valid certificates and can run with kernel privileges. These drivers are dropped on victims’ devices to disable security solutions and eventually take over the system. BYOVD attacks are becoming increasingly popular among malicious actors, as they are difficult to detect and can be used to bypass a wide range of security solutions.

How Does Terminator Work?

Terminator is a tool that is being distributed on Russian-language hack forums by a seller known as Spyboy. The seller claims that Terminator is capable of stopping any antivirus, XDR, and EDR platform, but experts from CrowdStrike have come to the conclusion that it is actually a Bring Your Own Vulnerable Driver (BYOVD) attack.
In order to use Terminator, malicious actors will need administrative privileges on the target Windows systems, and they will also need to trick the user into allowing the tool to run in the User Account Controls (UAC) window that will be displayed on startup.
Terminator simply places a legitimate signed Zemana kernel driver (zamguard64.sys or zam64.sys) in the C:\Windows\System32\ folder under a random name of 4 to 10 characters. When the malicious driver is written to disk, Terminator loads it and uses kernel-level privileges to terminate the user-mode processes of the antivirus and security software running on the device.

How to Detect and Prevent BYOVD Attacks?

BYOVD attacks are becoming increasingly popular among malicious actors, as they are difficult to detect and can be used to bypass a wide range of security solutions. However, there are a few steps that organizations can take to detect and prevent BYOVD attacks.
First, organizations should ensure that their security solutions are up to date and that they are running the latest version of the software. Additionally, organizations should use YARA and Sigma rules (by hash and by name) to detect the vulnerable driver used by Terminator.
Finally, organizations should ensure that their systems are properly configured and that users are trained to recognize and respond to suspicious activity. This includes educating users on how to recognize and respond to UAC prompts, as well as how to identify and respond to suspicious emails and websites.

Share this Article
Exit mobile version
Lost your password?