Security News > 2023 > May > Terminator antivirus killer is a vulnerable Windows driver in disguise
After the malicious driver is written to the disk, Terminator loads it to use its kernel-level privileges to kill off the user-mode processes of AV and EDR software running on the device.
While it is not clear how the Terminator program is interfacing with the driver, a PoC exploit was released in 2021 that exploits flaws in the driver to execute commands with Windows Kernel privileges, which could be used to terminate normally-protected security software processes.
This driver is only being detected by a single anti-malware scanning engine as a vulnerable driver at the moment, according to a VirusTotal scan.
Luckily, Nextron Systems head of research Florian Roth and threat researcher Nasreddine Bencherchali have already shared YARA and Sigma rules that can help defenders detect the vulnerable driver used by the Terminator tool.
In Bring Your Own Vulnerable Driver attacks, as they are known, legitimate drivers signed with valid certificates and capable of running with kernel privileges are dropped on the victims' devices to disable security solutions and take over the system.
More recently, Sophos X-Ops security researchers have spotted a new hacking tool dubbed AuKill used in the wild to disable EDR software with the help of a vulnerable Process Explorer driver before deploying ransomware in BYOVD attacks.