- Mar 13, 2022
A threat actor known as Spyboy is promoting a tool called "Terminator" on a Russian-speaking hacking forum that can allegedly terminate any antivirus, XDR, and EDR platform. However, CrowdStrike says that it's just a fancy Bring Your Own Vulnerable Driver (BYOVD) attack.
Terminator is allegedly capable of bypassing 24 different antivirus (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solutions, including Windows Defender, on devices running Windows 7 and later,
Spyboy sells the software for prices ranging from $300 for a single bypass to $3,000 for an all-in-one bypass.
"The following EDRs cannot be sold alone: SentinelOne, Sophos, CrowdStrike, Carbon Black, Cortex, Cylance," the threat actor says, with a disclaimer that "Ransomware and lockers are not allowed and I'm not responsible for such actions."
To use Terminator, the "clients" require administrative privileges on the targeted Windows systems and have to trick the user into accepting a User Account Controls (UAC) pop-up that will be displayed when running the tool.
A threat actor known as Spyboy is promoting a Windows defense evasion tool called "Terminator" on the Russian-speaking forum RAMP (short for Russian Anonymous Marketplace).