@ndma @ducklah 02 Jun 2023

Description

On May 21, 2023, an online persona named Spyboy began advertising an endpoint defense evasion tool for the Windows operating system via the Russian-language forum Ramp. The author claims that the software — seen in a demonstration video as being titled “Terminator” — can bypass twenty-three (23) EDR and AV controls. At the time of writing, Spyboy is pricing the software from $300 USD (single bypass) to $3,000 USD (all-in-one bypass).

Technical Details

Terminator software requires administrative privileges and User Account Controls (UAC) acceptance to properly function. Once executed with the proper level of privilege, the binary will write a legitimate, signed driver file — Zemana Anti-Malware — to the C:\Windows\System32\drivers\ folder. The driver file is given a random name between 4 and 10 characters. An example of this driver file can be found on VirusTotal here.

This technique is similar to other Bring Your Own Driver (BYOD) campaigns observed being used by threat actors over the past several years.

Under normal circumstances, the driver would be named zamguard64.sys or zam64.sys. The driver is signed by “Zemana Ltd.” and has the following thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05.

Once written to disk, the software loads the driver and has been observed terminating the user-mode processes of AV and EDR software.

Reference

https://www.reddit.com/r/crowdstrike/comments/13wjrgn/20230531_situational_awareness_spyboy_defense/ https://github.com/magicsword-io/LOLDrivers/blob/main/detections/sigma/driver_load_win_vuln_drivers.yml https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/