Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver

[[correlate]]

Content source

https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-antilogger-driver/

Recently, a threat actor (TA) known as SpyBot posted a tool, on a Russian hacking forum, that can terminate any antivirus/Endpoint Detection & Response (EDR/XDR) software. IMHO, all the hype behind this announcement was utterly unjustified as it is just another instance of the well-known Bring Your Own Vulnerable Driver (BYOVD) attack technique: where a legitimate signed driver is dropped on victims’ machine and later used to disable security solutions and/or deliver additional payloads.

Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver - VoidSec

Reverse engineering Spybot's Terminator tool (Zemana Antimalware driver) to achieve LPE as SYSTEM and unrestricted raw SCSI disk read/write.

voidsec.com

 

[MuzzMelbourne]

Assumably decent AV supplier's are quickly on to this and I can expect a file update very soon...

 

[plat]

I sincerely hope Microsoft will add this driver to the blocklist, as it’s easy to weaponise for nastiest attacks.

The thing is, it's already in a blocklist. If you have Core Isolation/Memory Integrity enabled in Windows 10 and 11, no Zemana product will install. You will get a small white box saying the SDK failed to install. If you disable CI/MI, then the Zemana product (possibly also the Watchdog anti-malware--what is up with that, is it still in development?) will install on your system.

Edited to add: yep, I just tried it as I would have been super-embarrassed if this didn't end up being the case. Since I don't feel like restarting my machine in order to switch CI/MI off, this was enough to satisfy my curiosity.

Spoiler