Thursday, 01 June 2023 08:26

Claimed EDR Killer Found to be a Vulnerable AV Driver Similar to Past Evasion Techniques

Written by

Reading time is around minutes.

A couple of days ago an email was sent to me about a new tool kit being sold on the darker side of the internet. The claim what that this new tool could kill the processes behind “any” AV, EDR, or XDR running on Windows 7 and newer. The same email included a link to what was supposed to be proof of its efficacy. I opened the link in a sandbox on a controlled VM just to be sure the link was not malicious all on its own. What I saw was nothing all that new, although it was a bit worrying.

The proof shows someone killing the protected processes behind CrowdStrike Falcon running on Windows Server 2012 R2. There were a few things I noticed. The first was that the tool needed to be run as Administrator on the device and a UNC prompt (if enabled) had to be approved before it ran. This means that the tool was not a userland exploit and that whatever was behind it needed elevated privileges to run. At the time and with little more than the video to go by, I suspected this was a driver exploit with a tool calling a vulnerable driver already in windows to run commands terminating normally protected processes. It was a logical conclusion to draw as there have been other attacks like this on EDR/XDR in the past using this pivot. They typically all require privilege escalation making them challenging to pull off without some social engineering to get the target user to allow the command to execute.

It turns out that I was partially correct, the terminator tool does use a vulnerable driver to execute commands targeting protected processes, but it is not one natively found in Windows. Instead, the developer is using a flawed driver from another AV product. In this case the tool kit leverages a signed kernel driver from Zemana anti-malware (zamguard64.sys or zam64.sys). This driver gets dropped into the system32 folder with a random name. The toolkit abuses the driver to execute the commands to kill the targeted process. It is possible that the developer SpyBoy leveraged an older POC kit from 2021 that has a similar function (calling vulnerable kernel drivers to execute commands) as a blueprint in developing this tool, but that has not been confirmed. Researchers are still digging into the tool kit although they are releasing information pretty quickly on different platforms from Redditt to their own blogs to help organizations defend against this attack.

This terminator kit, while interesting and concerning, is not really a new concept. As we mentioned earlier, other groups have used a similar technique of abusing vulnerable kernel mode drives to disable or bypass EDR/XDR. This behavior has been observed in ransomware deployment and other types of attacks from various threat groups. The abuse of vulnerable kernel drivers is a significant concern attacker can import a legitimate driver that they can abuse to affect security tools and software on a targeted device. It highlights the need for proper code review and early detection of these flaws during development and the need for revalidation periodically. When a vulnerable driver is identified, there needs to be steps to decertify it or get it added into detection software so that it can be isolated in the event threat groups seek to use it in their attack chain. Right now, the vulnerable Zemana driver is only identified by one AV according to Virus Total it even has a community score of 51 in the positive. The good news is that you can take some proactive steps and add the identified hash of this driver into your existing detection engines. This will not protect you from a different driver or even a mutated version of this one, but it does block this particular attack at this time. You can also check out YARA rules that have been uploaded to GitHub by Florian Roth and Nasreddine Bencherchali of Nextron Systems for both HASH and File Name Detections


Read 479 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.