Killer Ultra exploits a vulnerability (CVE-2024-1853) in a legitimate driver (Zemana AntiLogger) to gain kernel-level permissions and terminate processes associated with common EDR and AV tools from Symantec, Microsoft, and Sentinel One, which can also clear Windows event logs to impede forensic analysis.
It contains inactive code suggesting additional functionalities like downloading and executing tools from a command and control server, hinting at its potential for more extensive post-exploitation activities.
Attackers can use the 0x80002048 IOCTL code in Zemana’s drivers to end any process, even security software, because of a flaw (CVE-2024-1853) in Zemana AntiLogger v2.74.204.664.
The vulnerability was used in a tool named “Terminator” sold on hacking forums, which leveraged a vulnerable Zemana driver (“amsdk.sys”) to disable antivirus and endpoint detection and response (EDR) software.
Through the use of the Userland Unhooking technique, Killer Ultra is able to get around endpoint security tools.
It achieved this by launching a benign process, notepad.exe, and leveraging a handle to overwrite its own copy of NTDLL with the one from notepad.exe, which essentially replaces the hooked NTDLL with a clean instance, potentially bypassing security hooks placed on NTDLL functions.
Additionally, Killer Ultra attempts to tamper with EtwEventWrite permissions within NTDLL, possibly to disable logging of its activities by endpoint security tools. The effectiveness of these techniques in completely evading detection remains to be fully determined.
A malicious program injects an unhooked copy of a core Windows library (NTDLL) and unpacks a vulnerable driver after launching Notepad.exe, which is disguised as a service named “StopGuard” and gets loaded by exploiting a flaw in Zemana software.
Once operational, Killer Ultra hunts for processes of specific security products (the decoded list includes Symantec Antivirus, Windows Defender, and SentinelOne) by comparing them to an XOR-encoded list. If a match is found, Killer Ultra utilizes elevated privileges to terminate the security process, effectively disabling it.
It employs two tactics to evade detection and maintain persistence. First, it creates disguised scheduled tasks named “Microsoft Security” and “Microsoft Maintenance” that trigger Killer Ultra’s execution from a hidden path at system startup.
Secondly, it incorporates a subroutine designed to remove potential incriminating evidence by clearing all Windows event logs, which is achieved by spawning a command prompt and utilizing the “wevtutil.exe” utility to systematically erase logs.
Binary Defense discovered inactive functionalities within the Killer Ultra malware that suggest potential future capabilities. The code contains references to downloading tools (“Download Agent”) and executing programs (“mimi.exe,” possibly Mimikatz), which could be used for post-exploitation purposes.
The malware also holds a list of files related to virtualization and sandbox environments and references a subroutine that might be activated to self-terminate upon detection by such software, highlighting the need for proactive detection strategies as future variants of Killer Ultra might leverage these functionalities.
.webp?w=1200&resize=1200,0&ssl=1&description=Killer Ultra exploits a vulnerability (CVE-2024-1853) in a legitimate driver (Zemana AntiLogger) to gain kernel-level permissions.){kind=link}