Russian Hacker Sells Terminator Tool That Is Allegedly Able to Bypass Any Antivirus Programs

Terminator and antivirus programs

A tool called Terminator appeared on one of the Russian hacker forums, and, according to its author, can destroy any anti-virus programs, as well as XDR and EDR platforms. Information security specialists also reported that Due of the sanctions, Russian hackers are looking for new ways to launder money. “Terminator” can allegedly bypass a total of 24 different antivirus solutions, Endpoint Detection and Response and Extended Detection and Response solutions on devices with Windows 7 and higher.

Consider reading about the analysis of the methods of a Russian hack group Wizard Spider, and a $1 million offer from the State Department for info on russian hackers.

Terminator Tool Bypasses Antivirus Tools

The author of the tool, known by the pseudonym “Spyboy“, sells his product from $300 for one type of detection bypass to $3,000 for all types at once.

The following EDRs cannot be sold separately: SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, Cylance. But ransomware and lockers are prohibited, and I am not responsible for such actions.- hacker.

In order to use Terminator, clients require administrative privileges on the target Windows systems, and therefore it is necessary to somehow trick the user into accepting the Windows User Account Control (UAC) pop-up that will be displayed when the tool is launched. This is already a headache for the client, not for the developer of malicious software. A CrowdStrike engineer in his post on Reddit found out that “Terminator” is being sold under a louder slogan than it really is. As it turned out, the tool simply dumps a legitimate signed Zemana antivirus driver – “zamguard64.sys” or “zam64.sys” into the “C:\Windows\System32\” folder of the target system.

After the aforementioned driver is written to disk, “Terminator” loads it to obtain elevated privileges at the kernel level to terminate the processes of antivirus, EDR and XDR programs running on the device. Currently, only one VirusTotal antivirus scan engine detects this driver as vulnerable. Fortunately, researchers at Nextron Systems have already shared indicators of compromise (IoC) that can help security professionals detect a vulnerable driver used by the Terminator tool before it does any harm.

What then?

BYOVD attacks are common among attackers who like to inject malicious payloads “silently”. In these types of attacks, hackers use completely legitimate drivers with valid certificates and the ability to run with kernel privileges, used, of course, for other purposes – to disable security solutions and take over the system. A wide range of cybercriminal groups have been using this technique for years, from financially motivated gangs to state-backed hacker groups.

In April, Sophos wrote about similar malware developed by another group of attackers. A hacking tool called AuKill allowed criminals to disable EDR solutions thanks to a vulnerable driver of a legitimate third-party program, Process Explorer, and was even used for a while in LockBit attacks.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *