CrowdStrike researchers have discovered that the Terminator antivirus killer peddled by the threat actor Spyboy has been used to enable Bring Your Own Vulnerable Driver attacks, reports BleepingComputer.
Terminator facilitates the deployment of a legitimate Zemana anti-malware kernel driver "zamguard64.sys" or "zam64.sys" under a random name to the System32 folder, with the malicious driver then used to end antivirus and endpoint detection and response software's user-mode processes, said a CrowdStrike engineer in a Reddit post.
Details regarding Terminator's interactions with the vulnerable Windows driver remain unclear and only one anti-malware scanning engine has been able to detect the driver but YARA and Sigma rules on identifying the Terminator tool's driver have been provided by Nextron Systems Head of Research Florian Roth and threat researcher Nasreddine Bencherchali.
The findings follow the discovery of the AuKill hacking tool by Sophos X-Ops researchers that exploits a vulnerable Process Explorer driver to enable ransomware distribution.