'Terminator' tool uses vulnerable Windows driver to kill almost any security software
Why it matters: "Bring Your Own Vulnerable Driver" attacks use legitimate drivers that allow hackers to easily disable security solutions on target systems and drop additional malware on them. This has become a popular technique among ransomware operators and state-backed hackers in recent years, and it looks like malicious actors have found a way to make it work on pretty much any PC running Windows.
A CrowdStrike engineer has revealed a new cybersecurity threat dubbed "Terminator," which is supposedly capable of killing almost any antivirus, Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solution.
"Terminator" is being sold on a Russian hacking forum called Ramp by a malicious actor known as Spyboy, who began advertising the endpoint evasion tool on May 21. The author claims the tool is capable of bypassing the protection measures of no fewer than 23 security solutions, with pricing ranging from $300 for a single bypass to $3,000 for an all-in-one bypass.
Windows Defender is one of the AVs that can be bypassed, and the tool works on all devices running Windows 7 and later versions. According to most estimates, Windows Vista and Windows XP are now running on less than 1 percent of all PCs, meaning Terminator impacts almost all Windows users – even those who don't use a third-party security solution from companies like BitDefender, Avast, or Malwarebytes.
