A tool called Terminator appeared on one of the Russian hacker forums, and, according to its author, can destroy any anti-virus programs, as well as XDR and EDR platforms. Information security specialists also reported that Due of the sanctions, Russian hackers are looking for new ways to launder money. “Terminator” can allegedly bypass a total of 24 different antivirus solutions, Endpoint Detection and Response and Extended Detection and Response solutions on devices with Windows 7 and higher.
Terminator Tool Bypasses Antivirus Tools
The author of the tool, known by the pseudonym “Spyboy“, sells his product from $300 for one type of detection bypass to $3,000 for all types at once.
In order to use Terminator, clients require administrative privileges on the target Windows systems, and therefore it is necessary to somehow trick the user into accepting the Windows User Account Control (UAC) pop-up that will be displayed when the tool is launched. This is already a headache for the client, not for the developer of malicious software. A CrowdStrike engineer in his post on Reddit found out that “Terminator” is being sold under a louder slogan than it really is. As it turned out, the tool simply dumps a legitimate signed Zemana antivirus driver – “zamguard64.sys” or “zam64.sys” into the “C:\Windows\System32\” folder of the target system.
After the aforementioned driver is written to disk, “Terminator” loads it to obtain elevated privileges at the kernel level to terminate the processes of antivirus, EDR and XDR programs running on the device. Currently, only one VirusTotal antivirus scan engine detects this driver as vulnerable. Fortunately, researchers at Nextron Systems have already shared indicators of compromise (
What then?
BYOVD attacks are common among attackers who like to inject malicious payloads “silently”. In these types of attacks, hackers use completely legitimate drivers with valid certificates and the ability to run with kernel privileges, used, of course, for other purposes – to disable security solutions and take over the system. A wide range of cybercriminal groups have been using this technique for years, from financially motivated gangs to state-backed hacker groups.
In April, Sophos wrote about similar malware developed by another group of attackers. A hacking tool called AuKill allowed criminals to disable EDR solutions thanks to a vulnerable driver of a legitimate third-party program, Process Explorer, and was even used for a while in LockBit attacks.