In the ever-evolving landscape of cyber threats, security tools are constantly being targeted by malicious actors. A perfect example of this is the "Terminator", an antimalware killer promoted by a threat actor known as Spyboy. This tool, advertised on a Russian-speaking hacking forum, claims to terminate any antivirus, XDR, and EDR platform, bypassing 24 different security solutions, including Windows Defender, on devices running Windows 7 and later.
However, upon closer inspection, the Terminator tool is not an invincible threat. Utilizing a mechanism similar to other Bring Your Own Driver (BYOD) attacks, the Terminator tool can be prevented with an endpoint security management and secure access solution such as OPSWAT MetaDefender Access. Parts of the comprehensive endpoint compliance checks associated with OPSWAT MetaDefender Access involve monitoring antimalware tools and whether the endpoint devices have been scanned.
How the Terminator Anti-Virus Killer Operates
At its core, the tool installs a vulnerable driver on the affected endpoint and exploits that vulnerability. To operate, Terminator requires administrative privileges on the targeted Windows systems. It first deceives the user into accepting a User Account Controls (UAC) pop-up, giving it administrative privileges to install a legitimate, signed anti-malware kernel driver into the system folder. The malicious driver then leverages kernel-level privileges to kill off the user-mode processes of AV and EDR software running on the device.
This type of attack, known as a Bring Your Own Vulnerable Driver (BYOVD) attack, is prevalent among threat actors. Terminator is not the only recent BYOVD attack. The recent BlackByte ransomware attack also followed the same attack pattern, abusing a faulty driver to gain high-level privileges. Another attack occurred during Q3 2022 that involved abusing Genshin Impact’s anti-cheat driver to kill anti-virus programs. All of these attacks point to a worrying reality where not even legitimate drivers are completely trustworthy.
MetaDefender Access: The Most Comprehensive ZTNA Solution
To combat such up-and-rising threats, it's crucial to employ a solution that can monitor and control the security posture of all devices before they can access sensitive applications.
By deploying a solution like MetaDefender Access, organizations can proactively monitor and control the security posture of their devices. This can help detect seemingly legitimate tools like Terminator before they cause harm, ensuring that all devices maintain the required security controls and compliance standards. MetaDefender Access can also monitor whether your antimalware tools are running properly and whether the endpoint device has been scanned.
In addition, MetaDefender Access also offers a Network Access Control (NAC) solution that ensures that every network connection and endpoint device is visible, allowed, or blocked appropriately in real-time. With MetaDefender NAC, the threat associated with security incidents like the Terminator can be reduced substantially.
MetaDefender NAC provides agentless identification, profiling, and access control for all devices connecting to a network. It pulls information from in-line network devices, existing identity access management tools, and the device itself.
With MetaDefender Access, you get real-time discovery of new users and devices, compliance checks to verify that devices meet corporate and regulatory standards, bi-directional security tool integration for quick reactions and real-time quarantines for severe alerts, and much more. The solution also provides device intelligence through agentless and agent-based analysis and can act on alerts from third-party security tools to isolate systems.
For more information about our solution, contact our security experts.
