Overview:
A Threat Actor who goes by the handle "spyboy" claims to have developed an "AV/EDR terminator" that can be used to disable 24 security products, with McAfee listed as a supported product. The actor doesn't specify if the tool supports Trellix ENS or EDR, but just "McAfee."
Spyboy Claims and Mitigations Summary:
-
Zemana anti-malware is a legitimate tool with legitimate signed drivers written to a legitimate location (C:\Windows\System32\drivers\)
-
This installation requires Admin privileges on the machine (if someone has admin privileges on the machine, they can install ANYTHING).
-
If written to disk, this attempts to disable other anti-malware tools/products.
-
Trellix can detect and delete malicious drivers using on-access scan.
-
The Trellix Endpoint products implement self-protection capabilities to protect the services, files, registry, and executables on the endpoint.
-
It leverages the operating system, making use of Access Control List (ACL) to make sure that changes are performed with the correct privileges.
-
The product implementation includes a set of self-protection rules.
-
The rules control kernel event interception and process hooking, allowing the inspection and blocking of activity deemed not to be originating from a legitimate change.
Background:
If the owner of the Endpoint knowingly installs Zemana (legitimate product) with Admin Privileges, it would be inappropriate for Trellix to block legitimate installs. If installed at OS-Ring0, it operates at the same level as the Trellix product itself.
At the time of writing of this document, the tool hasn't been identified or released publicly. The Terminator tool leverages legitimate but vulnerable Windows drivers belonging to the Zemana anti-malware tool to execute arbitrary code from within the Windows kernel (aka, "ring 0"). Once this level of access has been achieved, security products are unable to provide protection. But, active Trellix anti-malware scans for malicious drivers on-access and disables the malicious drivers.
Exploiting vulnerable drivers to achieve privileged code execution is referred to as a Bring Your Own Vulnerable Driver (BYOVD) attack. BYOVD attacks aren't new; nor is the use of the vulnerable Zemana anti-malware drivers. It has been speculated that if Terminator relies on Zemana anti-malware drivers, it's likely exploiting CVE-2021-31728.
Lastly, through our threat intelligence capability, we've learned that the threat actor (Spyboy) made comments that suggest that the Zemana driver identified by CrowdStrike is used by the Terminator tool. However, we reemphasize that the tool hasn't been released and can use other drivers as well to achieve code execution in the Windows kernel. The actual code that executes post-exploitation, and therefore the techniques used to disable security products, are also unknown.
Trellix Product Response:
The Terminator implements a BYOVD technique using Zemana anti-malware drivers. Efforts have been focused on detection of the vulnerable Zemana drivers being written to disk or loaded by processes. Because Zemana is a legitimate tool, it's not viable to block the creation or loading of these drivers.
The following table summarizes the detection approaches taken for Trellix products.
Product
|
Coverage Description
|
NX/EX/AX
|
A signature has been developed to detect artifacts associated with the dropping and loading of the "zamguard64.sys" driver during dynamic execution of samples. The signature is released in silent mode for validation and will be promoted soon.
|
HX IOC
|
A signature has been developed that looks for the vulnerable drivers being written to disk based on the MD5 value. The signature is released in silent mode for validation and will be promoted soon. This signature can also be provided to customers for their own hunting exercises.
|
ENS
|
ENS doesn't prevent the creation of the vulnerable driver as it's considered a legitimate driver. But, detection has been added to detect the legitimate drivers with unexpected file names.
Separately, detection is added for a publicly released POC that demonstrates how to exploit the driver vulnerability (hxxps://github.com/ZeroMemoryEx/Terminator).
|
EDR
|
A Low-Severity rule exists to detect new drivers being written to Windows\System32\drivers.
Customers can also leverage the EDR Historical Search to perform a hash search for the list of vulnerable driver hashes. More information on this is provided below.
Additional high-severity detections are being evaluated to detect the creation of services leveraging the vulnerable Zemana drivers.
|
HX AV
|
Similar to ENS, HX AV doesn't have detection for the legitimate Zemana drivers. Protection is provided for several related POCs, including the following:
|
Hunting in Trellix EDR:
To hunt for evidence of vulnerable Zemana drivers in your environment, use the following query:
Sha256 in "543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91,ff113339f97e4511a3e49fd2cc4bc1a80f69a9e57e090644271fafb803f25408,877432336a2f178e956f436229f4c147b2909e9f3f5b5be2a2c6d,132c67d15e,4937926fa892611da4d190b0e5174db83b6b1fa4ff4fe2ca8bd930db1c020fe6,c5f916a450e7e3eb6f16ed7ba6d024848544c608a76bfe3beb582cbaaeb74b4e,4710886983bd59b9b0668eda38371f46064affad4,a954301f8f2662bdfc744b,2bbc6b9dd5e6d0327250b32305be20c89b19b56d33a096522ee33f22d8c82ff1,66afdda05693c8a5bced85a7233a931f05f5908430d41d0d84bf051f474fa9c8"
References: