1/7/2024 0 Comments Reddit spyware terminatorThe driver is signed by “Zemana Ltd.” and has the following thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05. Under normal circumstances, the driver would be named zamguard64.sys or zam64.sys. This technique is similar to other Bring Your Own Driver (BYOD) campaigns observed being used by threat actors over the past several years. The driver file is given a random name between 4 and 10 characters. Once executed with the proper level of privilege, the binary will write a legitimate, signed driver file - Zemana Anti-Malware - to the C:\Windows\System32\drivers\ folder. Harris says that the tool works in a way similar to how Bring Your Own Vulnerable Driver (BYOVD) disables security components present on the system:Īt time of writing, the Terminator software requires administrative privileges and User Account Controls (UAC) acceptance to properly function. Only Elastic detects the file as malicious whereas the file is undetected by 70 other vendors according to VirusTotal. However, it does require elevated privileges and User Account Control (UAC) acceptance. The software is being sold at US$300 (single bypass) to US$3,000 (all-in-one bypass).ĬrowdStrike notes that the Terminator EDR evasion tool generates a legitimate, signed driver file Zemana Anti-Malware, that is being used to potentially exploit a security vulnerability tracked under ID " CVE-2021-31728". These include products from Microsoft, Sophos, CrowdStrike, AVG, Avast, ESET, Kaspersky, Mcafee, BitDefender, Malwarebytes, and more. The author Spyboy, claims that this Terminator tool is able to successfully disable twenty-three EDR and anti-virus controls. The campaign seemingly started last month, around May 21. Andrew Harris, who is the Global Senior Director at CrowdStrike, has shared details about "Terminator", an Endpoint Detection and Response (EDR) killing tool that is being promoted by a threat actor named "Spyboy", over on the Russian Anonymous Marketplace (RAMP).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |