One of the internet’s most aggressive threats has grown crueler, with the ability to infect one of the most critical parts of any modern computer.
Trickbot is malware that stands out for its advanced capabilities. Its modular framework excels at gaining powerful administrator privileges, spreading rapidly from computer to computer over networks, and performing analysis that identifies infected computers belonging to high-value targets. It often uses readily available software like Mimikatz or exploits like EternalBlue stolen from the National Security Agency.
Trickbot, once a simple bank fraud Trojan horse, has evolved over the years into a full-featured malware platform as a service. Trickbot operators sell access to their large number of infected machines to other criminals, who use the botnet to spread banking Trojans, ransomware and a host of malware. Rather than having to go to the trouble of catching the victims themselves, customers have a plethora of out-of-the-box computers that will run their criminal software.
The first link in the safety chain
Now Trickbot has acquired a new power: the ability to modify the UEFI of a computer. Short for Extensible unified firmware interface, UEFI is the software that connects the device firmware of a computer to its operating system. As the first software to run when virtually any modern machine is on, it is the first link in the safety chain. Since UEFI resides on a flash chip on the motherboard, infections are difficult to detect and remove.
According to Research results released Thursday, Trickbot has been updated to incorporate an obscured driver for RWTodo, an out-of-the-box tool that people use to write firmware to virtually any device.
Related Downloads:
For now, researchers have detected Trickbot using the tool only to test whether an infected machine is protected against unauthorized modifications by UEFI. But with just one line of code, the malware could be modified to infect or completely erase the critical part of the firmware.
“This activity sets the stage for TrickBot operators to take more active measures, such as installing implants and firmware tailgates or destroying (locking) a specific device,” the posted message said on Thursday. jointly by the security companies AdvIntel and Eclypsium. “It’s very possible that threat actors are already exploiting these vulnerabilities against high-value targets.”
Rare for now
So far, there have only been two documented cases of real-world malware that has infected UEFI. The first, discovered two years ago by security provider ESET, was made by Fancy Bear, one of the world’s most advanced hacker groups and an arm of the Russian government. By reusing a legitimate anti-theft tool known as LoJack, hackers were able to modify UEFI firmware to report it to Fancy Bear’s servers instead of those owned by LoJack.
The second batch of real-world UEFI infections were discovered just two months ago by Moscow-based security company Kaspersky Lab. Company researchers found the malicious firmware on two computers, both of which belonged to diplomatic figures in Asia. The infections planted a malicious file in a computer’s personal folder to be executed each time the computer is started.
The motherboard resident flash chips that store UEFI have access control mechanisms that can be locked during the boot process to prevent unauthorized firmware changes. Often, however, these protections are disabled, misconfigured, or hampered by vulnerabilities.
Large scale UEFI infections
So far, researchers have seen Trickbot use its newly acquired UEFI write capabilities to test whether any protections are in place. The presumption is that malware operators draw up a list of machines vulnerable to such attacks. Operators could then sell access to these machines. Customers who pilot the ransomware can use the list to override UEFI and prevent large numbers of machines from starting. Trickbot customers with an intent to spy could use the list to install hard-to-detect backdoors on PCs on high-value networks.
Trickbot’s adoption of UEFI scripting code threatens to generalize such attacks. Rather than being the domain of advanced persistent threat groups that are typically funded by nation states, access to vulnerable computers at UEFI could be leased to the same lower level criminals who are now using Trickbot for others. types of malware attacks.
“The difference here is that TrickBot’s automated modular approach, robust infrastructure, and rapid mass deployment capabilities bring this trend to a new level of scale,” wrote researchers from AdvIntel and Eclypsium. “All the pieces are now in place for large-scale espionage or destructive campaigns that can target entire verticals or parts of critical infrastructure.”
Table of Contents Download