Newscast

CrowdStrike unveils the “Terminator” who can bypass most popular malware protection apps

By Nik

June 01, 2023

Andrew Harris, the Global Senior Director at CrowdStrike cybersecurity company recently unveiled new information about the new Endpoint Detection and Response (EDR) evasion tool named “Terminator.” This tool has been gaining popularity on the Russian Anonymous Marketplace (RAMP) under the promotion of a threat actor named “Spyboy.” The campaign appears to be started around May 21, raising concerns in the cybersecurity community.

The author behind the alias “Spyboy” claims that the Terminator tool can effectively neutralize twenty-three EDR and antivirus controls, including the most popular malware protection applications from Microsoft, Sophos, CrowdStrike, AVG, Avast, ESET, Kaspersky, McAfee, BitDefender, Malwarebytes, and others. With prices ranging from $300 for a single bypass to $3,000 for an all-in-one bypass, the tool is being promoted as a powerful weapon for cyber protectors.

CrowdStrike has analyzed the power of the Terminator EDR evasion tool. They’ve discovered that the software generates a seemingly legitimate and signed driver file called Zemana Anti-Malware, which exploits a known security vulnerability tracked under the identification “CVE-2021-31728” However, it’s worth saying that executing the Terminator tool requires elevated privileges (run as administrator). What is surprising is that out of the 70 vendors who analyzed it on VirusTotal, only Elastic was able to identify the file as malicious, while the rest failed to do so.

Andrew Harris also said that the Terminator tool uses a strategy of Bring Your Own Vulnerable Driver (BYOVD) campaigns, which threat actors commonly use.  Once the Terminator software is started under administrative privileges the binary proceeds to write a legitimate and signed driver file (Zemana Anti-Malware) to the C:\Windows\System32\drivers\ directory. The driver file is then assigned a random name consisting of 4 to 10 characters, like zamguard64.sys or zam64.sys. The driver file is signed by “Zemana Ltd” and can be identified under the following thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05.

Once the Terminator software has written the driver file to the system, it loads the driver and terminates user-mode processes associated with antivirus and EDR software.

During a demonstration, the company showcased the Terminator tool’s effectiveness by successfully disabling CrowdStrike Falcon EDR.

The emergence of the Terminator tool and its endorsement by Spyboy on the Russian Anonymous Marketplace raises concerns within the cybersecurity community. In order to protect your system, system administrators are advised to continuously update their security measures, and leverage proactive threat intelligence in order to combat evolving threats.