Security researchers have found that TrickBot has been upgraded with features that enable it to check the targeted system’s UEFI/BIOS firmware for vulnerabilities.
The malware has recently survived a shutdown attempt since 2016, resulting in most of its territories of command and control (C&C) being unresponsive. However, since then it has received many upgrades that not only allow it to continue operations, but also to survive similar attempts better.
Reported by Advanced Intelligence (AdvIntel) and Eclypsium security researchers, the current newly added features exploit readily accessible resources to detect vulnerabilities that enable the UEFI/BIOS firmware to be changed by attackers.
TrickBot operators might start using firmware implants and backdoors or transition to bricking targeted devices by exploiting those bugs. The boot operation could be monitored and they could also have complete power of corrupted devices.
Firmware-level malware is strategically important, as Eclypsium points out: attackers can ensure that their code runs first and is hard to detect, and can stay concealed for very long periods of time before the firmware or hard drive of the device is replaced.
TrickBot has proved to be one of today’s most adaptable pieces of malware, adding new features constantly to expand rights, spread to new computers, and sustain host persistence. Eclypsium states that the inclusion of UEFI features represents a significant advance in this continuing development by expanding its focus beyond the device’s operating system.
This is not the first time that the creators of TrickBot, who are thought to be none other than the cybercriminals behind the Dyre Trojan, have shown an interest in utilising the techniques and vulnerabilities that have been created.
For their destructive activities, they have previously implemented Mimikatz and EternalBlue, and are now using an obfuscated variant of the RwDrv.sys driver from the RWEverything (read-write everything) tool to reach the SPI controller and check that the BIOS can be changed.
LoJax ransomware attacks and the Slingshot APT campaign involve prior incidents where cybercriminals exploited those capabilities to sustain firmware persistence.
As the researchers clarify, the new TrickBot module interacts with the SPI controller to check if BIOS write protections are allowed. Although the BIOS itself has not been changed by the module, the malware includes code that enables it to read and update the firmware.
This new ability offers a means for TrickBot operators to brick any computer that they deem vulnerable. Recovery from compromised UEFI firmware includes the motherboard, which is more labor-intensive than merely re-imagining or removing a hard disc, to be patched or re-flashed, the researchers demonstrate.