On May 21, 2023, a threat actor using the name “spyboy” began posting on a Russian-language forum known as RAMP (Russian Anonymous Marketplace). There, spyboy claimed that their software, dubbed "Terminator", could bypass nearly all AV/EDR/XDR solutions, calling out 23 vendors specifically in the post. Spyboy is currently pricing the software from $300 USD for single bypass to $3,000 USD for all-in-one bypass.
The attack seemingly first entered the public eye in a post from Twitter user Soufiane on May 28th. Around the same time, a LinkedIn post by Kaushík Pał responded to the video spyboy posted showing Terminator disabling CrowdStrike on a system.
The spyboy Terminator relies on manipulating processes at the kernel level, much like other BYOVD attacks.
An admin user in Windows has elevated privileges compared to regular users, but they cannot directly modify kernel-level processes due to security, stability, and protection mechanisms in place. Kernel-level processes are critical components of the operating system responsible for managing system resources, and modifying them could pose security risks and destabilize the system. Windows implements privilege separation between user mode and kernel mode, with admin users operating within user mode and lacking direct access to kernel-level processes. Additionally, Windows employs protection mechanisms like Kernel Patch Protection to prevent unauthorized modifications to the kernel, and allowing arbitrary modifications could lead to compatibility issues and system instability. Specialized tools and techniques exist for kernel-level interactions, but they require specific knowledge, authorization, and adherence to strict security protocols to ensure system integrity and stability.
Based on the information surfaced by the team at Todyl and the rest of the threat hunting community, here is our assessment of how Terminator works:
As stated previously, spyboy Terminator is remarkably similar to other BYOVD attacks. Threat actors have been leveraging vulnerable driver attacks for years. Most notably, the Lazarus group, the same threat actor behind the 3CX supply chain attack leveraged a vulnerable Dell driver to disable Windows monitoring capabilities.
Another notable example is the use of a vulnerable Avast Anti-Virus driver by the Cuba Ransomware group in 2021 to escalate privileges and disable malware protection. The LOLdriver project has a list of hundreds of vulnerable drivers that can be used by actors to accomplish privilege escalation, disabling anti-malware, monitoring, etc. In this case, the driver needs to be in the same directory as the Terminator executable, and the executable needs to be run as administrator.
Todyl’s Endpoint Security module, which leverages Elastic Security as a foundation, contains a YARA rule to block vulnerable driver activity on 4/4/22 to combat the original onset of BYOVD attacks. When submitting the hash from the spyboy vulnerable driver only Elastic detected it as malicious:
Our Endpoint Security module features signatures for vulnerable drivers, including the one used in this attack, acting as preventions against this particular attack vector.
In all cases like this, Terminator or otherwise, the first line of defense for organizations is making sure that the vulnerable driver doesn’t get on the system in the first place. Using SIEM and Endpoint Security, such as those in the Todyl platform, IT and security teams are alerted to suspicious activity. Furthermore, Todyl’s MXDR team goes a level further, investigating the activity and working to remediate it within minutes. MXDR gives customers a leg up for defending against these and many other attacks.
Todyl will continue to update the community as our findings on spyboy Terminator develop, but for now, be sure to threat hunt using SIEM for IoCs. You can also use the provided hunt queries:
Additionally, check out our blog for more updates on Living off the Land and other similar attacks.
