SharpTerminator
The Terminator tool, along with its variants such as SharpTerminator and Ternimator, is part of a class of attack known as Bring Your Own Vulnerable Driver (BYOVD). This strategy involves leveraging legitimate but vulnerable drivers to bypass security measures, terminate antivirus and EDR processes, and execute malicious activities without detection.
The Persistent Threat of the Terminator Tool
The Terminator tool represents a significant threat due to its ability to disable security solutions, thereby facilitating a range of malicious activities. These activities can range from deploying additional malware to extensive system compromise and operational disruption. The tool leverages the Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting vulnerabilities in legitimate drivers to bypass security measures
Technical Sophistication and Risk Estimation Challenges
Estimating the risk posed by the Terminator toolkit is complex due to several variables. These include the evolving nature of the toolkit, the diversity and operational scale of the threat actors employing it, and the range of potential targets. The exact success rate of Terminator in compromising organizations is difficult to quantify. However, its technical sophistication, coupled with the increasing popularity of BYOVD techniques among threat actors, suggests a growing threat
The Evolution and Variants of Terminator
Since its initial release, multiple variants of the Terminator tool have been developed, including open-source versions and those written in different programming languages such as C# (SharpTerminator) and Nim (Ternimator). These variants aim to reproduce the original technique or offer cross-platform support, potentially circumventing static detections or heuristic models.
Real-World Attacks and Implications
The use of the Terminator tool and its variants in real-world attacks has been documented, including a notable attack on a healthcare organization on December 15, 2023. In this attack, the perpetrators attempted to execute a PowerShell command to download a text file from a C2 server, which was designed to install the XMRig cryptominer on the targeted system.
Common techniques used by attackers to abuse the Terminator tool:
1. Exploiting Legitimate but Vulnerable Drivers
Attackers implant a legitimate driver, which is vulnerable, into a targeted system and then exploit the vulnerable driver to perform malicious actions. This is the core principle of BYOVD attacks, where the Terminator tool leverages vulnerabilities in drivers such as zam64.sys (Zemana Anti-Logger) or zamguard64.sys (Zemana Anti-Malware) to gain kernel privileges and execute attacker-provided code in kernel context
2. Kernel-Level Privilege Escalation
Successful exploitation allows attackers to achieve kernel-level privilege escalation, granting them the highest level of access and control over system resources. This escalated privilege is leveraged by disabling endpoint security software or evading their detection, thereby enabling attackers to engage in malicious activities without any obstruction
3. Disabling Security Solutions
Once endpoint security defenses are compromised, attackers are free to disable antivirus and Endpoint Detection and Response (EDR) processes, deploy additional malware, or perform other malicious activities without detection. The Terminator tool specifically targets and terminates processes associated with security solutions, effectively blinding them to ongoing attacks
4. Use of IOCTL Codes
The Terminator tool and its variants abuse IOCTL (Input/Output Control) codes to request functionalities from the vulnerable driver, such as attempting to terminate targeted processes. This involves sending specific IOCTL codes along with parameters like the process ID of a running process to manipulate the driver’s behavior to the attacker’s advantage
5. Administrative Privileges and UAC Bypass
To abuse the driver effectively, a threat actor would need administrative privileges and a User Account Control (UAC) bypass, or they would need to convince a user to accept a UAC prompt. This requirement highlights the importance of privilege escalation tactics and social engineering in the successful deployment of the Terminator tool
6. Evading Detection
Attackers have evolved their techniques to evade detection by security solutions. For example, the Terminator tool attempts to emulate legitimate protocol/file headers to bypass security measures, although this has been met with varying degrees of success. The use of legitimate protocols and services as command-and-control (C& C) servers or communication channels is another tactic to cover their tracks
7. Leveraging Public Platforms and Protocols
Attackers also use legitimate platforms and protocols, such as instant messengers (IMs) and free email services, to communicate with compromised systems and maintain control over their targets. This technique helps to blend malicious traffic with legitimate network activity, making detection more challenging
Vkontakte
Twitter
Одноклассники
Предыдущий
