Black Arrow Cyber Advisory - 02 June 2023 – Russian ‘Terminator’ tool uses Vulnerable Windows Drivers to Disable Security Software

Executive summary

CrowdStrike have revealed a new cyber security threat, labelled as “Terminator”, which has the capability of stopping antivirus, endpoint detection and response (EDR) and extended detection and response (XDR) solutions. This allows for additional malicious software or actions to be used without being stopped or detected. While this tool does require local admin privileges to be effective, there is still a substantial number of organisations who allow employees to retain these privileges, and these privileges likely exist on Personally-owned devices that are being used for corporate activities as part of Bring Your Own Device (BYOD) schemes. The tool is being sold on Russian hacking forums for as little as $300 for a single bypass.

What’s the risk to me or my business?

Terminator requires the target user to first have local administrative privileges and then allow the tool to run by accepting the User Account Control (UAC) prompt. Once running, the tool will drop a legitimately signed Zemana anti-malware kernel into “C:\Windows\System32\drivers\ folder”. Next the tool will terminate any processes created by anti-virus (AV) or endpoint detection response (EDR). From here, the organisations AV and or EDR is disabled, allowing the malicious actor to run additional software or exploits without being stopped or detected, significantly increasing the risk of impacting the confidentiality, integrity and or availability of data held by an organisation that is accessible from the device.

What can I do?

Currently, only Elastic Security identifies the driver files used by Terminator- at current, no other AV or EDR is able to detect it. There has been no released patches or updates, and organisations are advised to block the signing certificate of the Zemena Anti-Malware driver used by Terminator.

Users should be educated not to run software that they do not trust, and where possible local administrator privileges should not be provided to end users to help prevent this and other similar attacks from being successful.

Further details can be found here:

https://www.techspot.com/news/98906-terminator-tool-uses-vulnerable-windows-driver-kill-almost.html

VirusTotal results can be found here: https://www.virustotal.com/gui/file/543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91

Need help understanding your gaps, or just want some advice? Get in touch with us: https://www.blackarrowcyber.com/contact

#threatadvisory #threatintelligence #cybersecurity

Previous
Previous

Black Arrow Cyber Threat Briefing 02 June 2023

Next
Next

Black Arrow Cyber Threat Briefing 26 May 2023