Andrew Harris, global senior director at CrowdStrike, has shared details about “Terminator,” an endpoint detection and response (EDR) assassination tool deployed by a threat actor known as “Spyboy” on an anonymous Russian marketplace. What is promoted? RAMP). The campaign apparently started last month, around May 21.
Spyboy’s author claims that this terminator tool is able to successfully disable twenty-three EDR and antivirus controls. These include products from Microsoft, Sophos, CrowdStrike, AVG, Avast, ESET, Kaspersky, Mcafee, BitDefender, Malwarebytes and more. The software is being sold for US$300 (single bypass) to US$3,000 (all-in-one bypass).
CrowdStrike notes that the Terminator EDR evasion tool produces a legitimate, signed driver file Zemana Anti-Malware, which is being used to potentially exploit a security vulnerability tracked under ID.CVE-2021-31728However, this requires elevated privileges and acceptance of User Account Control (UAC). Only detects the elastic file while the file is not detected according to 70 other vendors. Virus Total.
Harris says the tool works in a way that disables security components on a Bring Your Own Vulnerable Driver (BYOVD) system:
At the time of writing, Terminator software requires administrative privileges and User Account Controls (UAC) approval to function properly. After execution with the appropriate level of privilege, the binary will write a valid, signed driver file—Zemana Anti-Malware. C:\Windows\System32\drivers\ The folder driver file is given a random name between 4 and 10 characters.
This technique is similar to other Bring Your Own Driver (BYOD) campaigns that have been used by threat actors over the years.
Under normal circumstances the name of the driver will be taken. zamguard64.sys or zam64.sys. The driver is signed “Zamana Limited”. And the following is the thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05.
After being written to the disc, the software loads the driver and AV and EDR are seen terminating the software’s user mode processes.
In a demo, the threat actor showed that the CrowdStike Falcon EDR was successfully disabled with Terminator. The image on the left (below) shows that Falcon is still running while the image on the right shows that the Falcon process has terminated.