Andrew Harris, who is the Global Senior Director at CrowdStrike, has shared details about "Terminator", an Endpoint Detection and Response (EDR) killing tool that is being promoted by a threat actor named "Spyboy", over on the Russian Anonymous Marketplace (RAMP). The campaign seemingly started last month, around May 21.
The author Spyboy, claims that this Terminator tool is able to successfully disable twenty-three EDR and anti-virus controls. These include products from Microsoft, Sophos, CrowdStrike, AVG, Avast, ESET, Kaspersky, Mcafee, BitDefender, Malwarebytes, and more. The software is being sold at US$300 (single bypass) to US$3,000 (all-in-one bypass).
CrowdStrike notes that the Terminator EDR evasion tool generates a legitimate, signed driver file Zemana Anti-Malware, that is being used to potentially exploit a security vulnerability tracked under ID "CVE-2021-31728". However, it does require elevated privileges and User Account Control (UAC) acceptance. Only Elastic detects the file as malicious whereas the file is undetected by 70 other vendors according to VirusTotal.
Harris says that the tool works in a way similar to how Bring Your Own Vulnerable Driver (BYOVD) disables security components present on the system:
At time of writing, the Terminator software requires administrative privileges and User Account Controls (UAC) acceptance to properly function. Once executed with the proper level of privilege, the binary will write a legitimate, signed driver file — Zemana Anti-Malware — to the C:\Windows\System32\drivers\ folder. The driver file is given a random name between 4 and 10 characters.
This technique is similar to other Bring Your Own Driver (BYOD) campaigns observed being used by threat actors over the past several years.
Under normal circumstances, the driver would be named zamguard64.sys or zam64.sys. The driver is signed by “Zemana Ltd.” and has the following thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05.
Once written to disk, the software loads the driver and has been observed terminating the user-mode processes of AV and EDR software.
In a demo, the threat actor showed that CrowdStike Falcon EDR was successfully disabled with the help of Terminator. The image on the left (below) shows Falcon still running while the right image shows Falcon process was terminated.