Security alert enrichment: Terminator endpoint defense evasion tool

CrowdStrike has shared a situational awareness alert on Reddit that details the emergence of a new endpoint defense evasion tool called “Terminator.” The relevant details of this threat alert have been included below:

“On May 21, 2023, an online persona named spyboy began advertising an endpoint defense evasion tool for the Windows operating system via the Russian-language forum Ramp. The author claims that the software — seen in a demonstration video as being titled “Terminator” — can bypass twenty three (23) EDR and AV controls. At time of writing, spyboy is pricing the software from $300 USD (single bypass) to $3,000 USD (all-in-one bypass).

…At time of writing, the Terminator software requires administrative privileges and User Account Controls (UAC) acceptance to properly function. Once executed with the proper level of privilege, the binary will write a legitimate, signed driver file — Zemana Anti-Malware — to the C:\Windows\System32\drivers\ folder. The driver file is given a random name between 4 and 10 characters. An example of this driver file can be found on VirusTotal here.

This technique is similar to other Bring Your Own Driver (BYOD) campaigns observed being used by threat actors over the past several years.

Under normal circumstances, the driver would be named zamguard64.sys or zam64.sys. The driver is signed by “Zemana Ltd.” and has the following thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05.

Once written to disk, the software loads the driver and has been observed terminating the user-mode processes of AV and EDR software.

…As the Zemana Anti-Malware driver is not overly common, it becomes a good target for hunting. Please note: the presence of the Zemana Anti-Malware driver in your environment is not necessarily indicative of the presence of the spyboy defense evasion tool, rather, it is a point of investigation to determine if the use of the driver is legitimate.”

What this means

This activity is part of a larger trend of threat actors abusing vulnerable signed drivers by software vendors for evading security controls, and is commonly referred to as “bring your own vulnerable driver.” A version of this particular driver has already been detailed by the LOLDrivers project, which attempts to catalog known vulnerable drivers that can be abused.

EDR bypasses aren’t new, and we expect to see their rise in use continue. It’s increasingly crucial to establish multiple layers of defense to promptly detect any malicious activities targeting your organization.

At a minimum, it’s advisable to incorporate detection technologies, retain valuable source logs such as DNS and proxy data for at least one year, and have immediate – and automatic – capabilities to detect and respond to advanced threats like EDR bypasses or supply chain attacks.

Alert enrichment

Stairwell has already deployed detections for all customers on the Stairwell platform, searching through environments for the original file outlined in the CrowdStrike report. The Stairwell platform’s AI-powered variant discovery has also identified 8 potential variants of the original file among the more than 500 million unique files in our corpus. The Stairwell threat research team is currently investigating the following:

ff113339f97e4511a3e49fd2cc4bc1a80f69a9e57e090644271fafb803f25408

877432336a2f178e956f436229f4c147b2909e9f3f5b5be2a2c6da132c67d15e

4937926fa892611da4d190b0e5174db83b6b1fa4ff4fe2ca8bd930db1c020fe6

4710886983bd59b9b0668eda38371f46064affad40a954301f8f2662bdfc744b

c5f916a450e7e3eb6f16ed7ba6d024848544c608a76bfe3beb582cbaaeb74b4e

66afdda05693c8a5bced85a7233a931f05f5908430d41d0d84bf051f474fa9c8

6f55c148bb27c14408cf0f16f344abcd63539174ac855e510a42d78cfaec451c

9c394dcab9f711e2bf585edf0d22d2210843885917d409ee56f22a4c24ad225e

In the event that any Stairwell customers are affected, they will immediately receive notifications regarding the presence of any relevant indicators of compromise (IOCs) that are currently in their environment – or have ever been since becoming a Stairwell user – so that they can quickly locate, remediate, and better understand the impact without needing to wait for hours, days, or weeks.

Public YARA rules

rule Stairwell_Spyboy_Terminator_Zemana_Driver_01 {

  meta:

    author = "Daniel Mayer ([email protected])"

    description = "Detects the vulnerable Zemana driver used by the Terminator EDR killer"

    SHA256_1 = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91"

    version = "1.0"

    date = "2023-05-31"

  strings:

    // pool creation in IOCTL 0x80002040

    $pool_creation = {

        BA 34 08 00 00    // mov     edx, 834h ; Number of Bytes

        [1-4]             // <set pool type to unpaged pool>

        41 B8 5A 4D 4E 41 // mov     r8d, 414E4D5Ah  ; Pool tag of 'ANMZ'

        FF                // call    <ExAllocatePoolWithTag> 

        }

    $debug1 = "Calling Driver Object 0x%I64x Scsi Dispatc"

    $debug2 = "Can not allocate unicode string for key path"

  condition:

    all of them

}

rule Stairwell_Spyboy_Terminator_Zemana_Driver_02 {

  meta:

    author = "Chris St. Myers ([email protected] )"

    description = "Detects the PDB path and Certificate of the vulnerable Zemana driver used by the Terminator EDR killer"

    SHA256_1 = "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91"

    version = "1.0"

    date = "2023-05-31"

  strings:

    $cert = {02 10 23 0F D3 64 B4 69 09 1B 8A 44 40 14 5E 18}

    $pdb_64 = "AntiMalware\\bin\\zam64.pdb"

    $pdb_64_2 = "AMSDKCore\\Driver\\zam64.pdb"

    $pdb_32 = "AntiMalware\\bin\\zam32.pdb"

  condition:

    int16(uint32(60) + 92) == 1 and any of ($pdb_*) and $cert

}