HQ/EMEAFind out how we can help your business
A threat entity has provided the Terminator hacking tool on a Russian hacking forum. Based on reports, a threat actor named Spyboy offered the device, which could allegedly disable various AV, EDR, and XDR security products. However, a security firm countered the claims since they believe the Terminator hacking tool is just a sophisticated BYOVD operation.
The hacking tool allegedly bypasses about 24 different AV, EDR, and XDR products, including Windows Defender. In addition, the tool developer offers its software at various prices depending on a single bypass or an all-in-one bypass.
A disclaimer also stated that the threat actor could not separately sell EDRs like Carbon Black, Cortex, CrowdStrike, Cylance, SentinelOne, and Sophos. The seller insisted that they would not be responsible for any incidents related to ransomware or lockers.
The Terminator hacking tool leverages a legitimate and signed anti-malware driver.
According to investigations, Terminator deploys a legitimate and signed Zemana anti-malware kernel drover called zam64[.]sys or zamguard64[.]sys into the C:\Windows\System32\ directory with a randomly created name between 4 to 10 characters.
Subsequently, the Terminator will load the drivers to leverage its kernel-level privileges that could enable an infiltrator to terminate user-mode processes related to the compromised device’s AV and EDR software.
However, further research revealed that the hacking tool clients should have admin-level privileges on the targeted Windows systems to utilise Terminator. Moreover, the attackers should deceive the targeted user into accepting a User Account Controls pop-up that appears when running the tool. This detail is why some researchers think the hacking tool is just a BYOVD operation.
Terminator’s flawed driver is only flagged by a solitary anti-malware scanning solution. Fortunately, the head of the current research team responsible for the analysis of Terminator shared YARA and Sigma rules that allow defenders to spot the flawed driver utilised by the hacking tool.
The provided approach could aid security defenders in identifying and lessening the presence of vulnerable drivers in every system.
