{"id":24082,"date":"2024-03-04T05:20:54","date_gmt":"2024-03-04T13:20:54","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2024\/03\/04\/news-17812\/"},"modified":"2024-03-04T05:20:54","modified_gmt":"2024-03-04T13:20:54","slug":"news-17812","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/03\/04\/news-17812\/","title":{"rendered":"It’ll be back: Attackers still abusing Terminator tool and variants"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Mon, 04 Mar 2024 11:00:08 +0000<\/strong><\/p>\n

\n

BYOVD (Bring Your Own Vulnerable Driver) is a class of attack in which threat actors drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain kernel-level privileges. At this level of access, attackers can accomplish a lot: hide malware, dump credentials, and, crucially, attempt to disable EDR solutions.<\/p>\n

Threat actors are spoiled for choice when it comes to choosing vulnerable drivers; as of this writing, there are 364 entries tagged as \u201cvulnerable driver\u201d listed on loldrivers.io<\/a>, an open-source repository of vulnerable drivers and corresponding signatures and hashes. Perhaps as a result of this, BYOVD attacks \u2013 previously the province of highly sophisticated threat actors \u2013 have become popular amongst ransomware operators and lower-tier attackers in recent years.<\/p>\n

In February 2020, for example, we reported on a RobbinHood ransomware campaign<\/a> in which the threat actor abused a legitimate driver signed by a motherboard manufacturer, to disable EDR products. Since then, we\u2019ve also reported on a BlackByte ransomware campaign<\/a> abusing a graphics card driver; a BYOVD campaign in which threat actors leveraged a Windows driver<\/a>; and multiple incidents involving AuKill<\/a>, a tool that abuses an outdated Process Explorer driver, and which we\u2019ve observed threat actors use in several ransomware incidents.<\/p>\n

Another possible reason for BYOVD becoming popular with lower-tier threat actors is that off-the-shelf kits and tools are now bought and sold on criminal forums. One in particular attracted a significant amount of attention in May 2023, when a threat actor known as spyboy<\/strong> advertised a tool called Terminator<\/a> on the Russian-language ransomware forum RAMP. The seller claimed that the tool, priced between $300 USD to $3,000 USD, could disable twenty-four security products.<\/p>\n

Hasta la driver, baby<\/h1>\n

A 2023 analysis by CrowdStrike<\/a> revealed that Terminator appears to be a BYOVD tool, with the vulnerable driver in question being zam64.sys<\/strong> (Zemana Anti-Logger) or zamguard64.sys<\/strong> (Zemana Anti-Malware, or ZAM), published and signed by Zemana<\/a>. Both drivers share almost the same code base.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: Comparing decompiled disassembly code of both Zemana drivers reveals almost the same code base<\/em><\/p>\n

Both drivers also contain the same vulnerability, an insufficient verification of the processes that can send IOCTL codes to them and request various functionalities. The drivers maintain an \u2018allow list\u2019 of legitimate, trustworthy processes. However, by sending an IOCTL code 0x80002010 and passing the process ID of a running process as a parameter, an attacker can add their own process to the allow list and circumvent this security measure. Once added, the attacker can request a number of functionalities from the driver, such as attempting to terminate a targeted process by sending an IOCTL request with code 0x80002048. A comprehensive list of functionalities is provided in this article<\/a>.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: IOCTL code requests needed to be able to abuse the vulnerability<\/em><\/p>\n

To abuse the driver in this way, however, a threat actor would need administrative privileges and a User Account Control (UAC) bypass (or they would need to convince a user to install the driver via social engineering). So while leveraging vulnerable legitimate drivers could certainly allow a threat actor to terminate AV and EDR processes, it\u2019s not necessarily straightforward, and escalating privileges may trigger other security protections.<\/p>\n

Multiple variants<\/h1>\n

Many of the vendors on spyboy\u2019s list, including Sophos, moved quickly to investigate variants of the drivers and develop protections. Since the initial release of Terminator, we have also tracked multiple variants of the tool \u2013 including open-source versions such as Terminator<\/a>, which reproduces spyboy\u2019s technique; SharpTerminator<\/a>, a C# port of the previous project; and Ternimator<\/a>, a version written in Nim . (Like Rust, Nim is a popular language for writing red teaming tools or malware<\/a>, because as a relatively new language it may be more likely to circumvent static detections or static based heuristic models; it also offers cross-platform support).<\/p>\n

Even multiple months after the initial discovery, the drivers are still a popular topic in darknet forums. For instance, we discovered the following November 2023 post on a Russian-language criminal forum:<\/p>\n

\"A<\/a><\/p>\n

Figure 3: A threat actor posts on a criminal forum offering a BYOVD tool for sale<\/em><\/p>\n

After further investigation of the thread, we assess that this likely refers to a different release version of the Zemana driver(s), or a hash that is not, as of this writing, reported on loldrivers.io. When challenged by another user, who said that: \u201cits [sic] ZAM, not worth spending time on (blacklisted & detected)\u201d, the original poster replied: \u201cit is not in the databases\u2026in the databases there is a different version of the driver and not this one.\u201d<\/p>\n

Further discussion in the forum revealed that threat actors are aware of the widespread coverage of the vulnerable Zemana drivers. The discussion ended with another threat actor suggesting that developing a malicious driver from scratch and using a valid certificate \u2013 be it stolen, leaked, or otherwise acquired \u2013 to sign it, is a more viable strategy than using known vulnerable drivers.<\/p>\n

While we weren\u2019t able to glean any further useful information from the thread, we decided to do some investigation and analysis, to determine the extent of Zemana driver abuse and to see whether attackers are making further tweaks and changes to the original Terminator tool.<\/p>\n

Real-world attacks<\/h1>\n

We reviewed our behavioral detection telemetry for the past six months and discovered several incidents in which attackers used the Zemana Anti-Logger or Anti-Malware drivers. In some cases, threat actors also ported the open-source projects discussed earlier to different languages or obfuscated them through packers to circumvent detection. We\u2019ve highlighted the incidents below as they\u2019re illustrative of patterns we saw across a wider evidence base.<\/p>\n

From Citrix to Ter<\/h2>\n

On September 13, 2023 and October 10, 2023, Sophos thwarted attacks which both used very similar methodologies. In both cases, initial access was likely obtained via exploiting a vulnerable Citrix application. From there, the attackers injected a payload into the Windows Error Reporting process, wermgr.exe<\/strong>. Next, they tried to disable Sophos by issuing the following commands:<\/p>\n

wmic service where \"PathName like '%sophos%'\" call delete \/nointeractive  wmic service where \"PathName like '%sophos%'\" call stopservice \/nointeractive<\/pre>\n
Tamper protection was enabled on the targeted devices, so the attempts to simply disable and remove the Sophos services failed. Finally, the threat actor switched to deploying an EXE file named ter.exe<\/strong>. The binary unpacks itself to a slightly modified version of Terminator. The driver itself was dropped separately before this.<\/p>\n
Upon execution, the binary loads the \u201cBINARY\u201d resource. The content is decrypted via AES-256. The key is hardcoded in the binary. Finally, the binary writes the decrypted content into a newly allocated section and executes it. The attempt to load the driver was blocked by one of our behavioral protection rules.<\/p>\n
\"A<\/a><\/p>\n
Figure 4: Unpacking routine of ter.exe<\/em><\/p>\n
After investigating the disassembly of the unpacked ter.exe binary, we found the PDB path string with the original project name \u201cTerminator-master,\u201d suggesting that the threat actor modified code from the Terminator GitHub repository.<\/p>\n
\"A<\/a><\/p>\n
Figure 5: Path to PDB file, found in the unpacked ter.exe<\/em><\/p>\n
Healthcare under attack<\/h2>\n
On December 15, 2023 we blocked an attack targeting a healthcare organization. Immediately after initial access, the attackers attempted to execute a PowerShell command to download a text file from a C2 server.<\/p>\n
The text file itself is a PowerShell script designed to install the XMRig cryptominer<\/a> on the targeted system. The attempt was blocked by one of our behavioral protection rules.<\/p>\n
Later, the threat actors tried to disable the EDR client via running ternimator, the Nim version of Terminator, on one of the infected machines. The attempt to load the driver was also blocked by behavioral protection rules.<\/p>\n
\"A<\/a><\/p>\n
Figure 6: Overview of the attack on the healthcare organization<\/em><\/p>\n
From ZAM to AuKill<\/h2>\n
In this attack, which occurred on Christmas Day 2023, the threat actor gained access to a single machine, although the initial attack vector is unclear. First, they tried to load the Zemana Anti-Logger driver, masquerading as updatedrv.sys, from different locations:<\/p>\n
%sysdir%driversupdatedrv.sys  <d>programdatausosharedupdatedrv.sys<\/pre>\n
After these attempts failed, they switched to using AuKill<\/a>, another known EDR killer, where the Process Explorer driver was named ped.sys in the temp folder. We reported this to the customer, and did not see any further detections triggered; we are therefore highly confident that the attack was thwarted.<\/p>\n
Mitigation and protection<\/h1>\n
Detecting the abuse of vulnerable drivers is a unique challenge for the security industry. While efforts to compile repositories of known vulnerable drivers, such as loldrivers.io, are certainly useful, it is worth noting that these drivers are legitimate, and may be crucial for the operating system or for mission-critical services and applications. Blocking them wholesale, without careful validation, can be time-consuming, counter-productive, and result in unforeseen problems for organizations. A solely reactive approach is therefore usually not enough to solve this issue, particularly since there are so many known vulnerable drivers \u2013 with potentially more containing zero-day vulnerabilities.<\/p>\n
However, it\u2019s relatively rare for threat actors to deploy legitimate drivers with zero-day vulnerabilities; most of the time, the drivers and their vulnerabilities are known and documented, as is the case here (albeit they may be packed, obfuscated, or tweaked to avoid static detection). So keeping up-to-date with vulnerable drivers, and blocklisting any that you don\u2019t already have installed, can be worthwhile.<\/p>\n
We also recommend taking the following proactive actions:<\/p>\n