A recent discovery in the cybersecurity landscape has unveiled a concerning tool known as ‘Terminator’, promoted by a threat actor named Spyboy on a Russian-speaking forum, that claims to have the capability to terminate any antivirus, XDR, and EDR platform. However, leading cybersecurity firm CrowdStrike has shed light on the reality behind Terminator, labeling it as a sophisticated Bring Your Own Vulnerable Driver (BYOVD) attack.

image

According to Spyboy’s claims, Terminator can bypass 24 different antivirus (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solutions, including the widely-used Windows Defender, on devices running Windows 7 and later. The tool is offered for sale by Spyboy, with prices ranging from $300 for a single bypass to $3,000 for an all-in-one bypass.

Insights from a CrowdStrike engineer, shared in a Reddit post, reveal that Terminator’s functionality is far less sophisticated than its claims suggest. The tool simply drops a legitimate, signed Zemana anti-malware kernel driver (zamguard64.sys or zam64.sys) into the C:\Windows\System32\2 folder with a randomly generated name between 4 and 10 characters. This driver, once written to the disk, is then loaded by Terminator to leverage its kernel-level privileges to terminate user-mode processes of AV and EDR software on the compromised device.

As the Zemana Anti-Malware driver is not overly common, it becomes a good target for hunting. Please note: the presence of the Zemana Anti-Malware driver in your environment is not necessarily indicative of the presence of the spyboy defense evasion tool, rather, it is a point of investigation to determine if the use of the driver is legitimate.

The technique employed by Terminator, commonly known as Bring Your Own Driver (BYOVD) attacks, leverages legitimate drivers signed with valid certificates and capable of executing with kernel privileges. This enables threat actors to bypass security solutions, execute malicious code, and deliver additional payloads.


Indicators of Compromise (IoCs)

HASH
543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91