Yesterday, CrowdStrike posted that bad actor Spyboy is promoting a $3000, all-in-one tool called “Terminator” that can allegedly bypass 24 antivirus, XDR, and EDR platform, including Windows Defender, on devices running Windows 7 and later, but in reality it’s just a fancy Bring Your Own Vulnerable Driver (BYOVD) attack.
To use Terminator, one must have administrative privileges on the targeted systems and have tricked the user into accepting a User Account Controls pop-up that will be displayed when running the tool.
However, researchers discovered that Terminator just drops the legitimate, signed Zemana anti-malware kernel driver into the C:\Windows\System32\ folder, and then loads it to use its kernel-level privileges to kill off the user-mode processes of AV and EDR software running on the device.
Currently, according to a VirusTotal scan this driver is only being detected by a single anti-malware scanning engine as a vulnerable driver.
Roy Akerman, Co-Founder & CEO, Rezonate has this comment:
“This claim made by Spyboy created anticipation and anxiety among cyber defense teams for the past week, as tampering with security controls may leave organizations vulnerable and unaware assuming protection is in place and active. Organizations who use an EDR solution that only has usermode agent need to take further actions to avoid any exploitation and elimination of that agent. If kernel mode agent is available, a check to make sure configuration is properly listed is a priority.”
If this claim is true, this is going to make a lot of lives miserable. Hopefully the fact that CrowdStrike got this info out there quickly will help to mitigate this threat.
Like this:
Like Loading...
Related
This entry was posted on June 1, 2023 at 2:00 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Spyboy promotes “Terminator” Antivirus Killer
Yesterday, CrowdStrike posted that bad actor Spyboy is promoting a $3000, all-in-one tool called “Terminator” that can allegedly bypass 24 antivirus, XDR, and EDR platform, including Windows Defender, on devices running Windows 7 and later, but in reality it’s just a fancy Bring Your Own Vulnerable Driver (BYOVD) attack.
To use Terminator, one must have administrative privileges on the targeted systems and have tricked the user into accepting a User Account Controls pop-up that will be displayed when running the tool.
However, researchers discovered that Terminator just drops the legitimate, signed Zemana anti-malware kernel driver into the C:\Windows\System32\ folder, and then loads it to use its kernel-level privileges to kill off the user-mode processes of AV and EDR software running on the device.
Currently, according to a VirusTotal scan this driver is only being detected by a single anti-malware scanning engine as a vulnerable driver.
Roy Akerman, Co-Founder & CEO, Rezonate has this comment:
“This claim made by Spyboy created anticipation and anxiety among cyber defense teams for the past week, as tampering with security controls may leave organizations vulnerable and unaware assuming protection is in place and active. Organizations who use an EDR solution that only has usermode agent need to take further actions to avoid any exploitation and elimination of that agent. If kernel mode agent is available, a check to make sure configuration is properly listed is a priority.”
If this claim is true, this is going to make a lot of lives miserable. Hopefully the fact that CrowdStrike got this info out there quickly will help to mitigate this threat.
Share this:
Like this:
Related
This entry was posted on June 1, 2023 at 2:00 pm and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.