Over the past few years, the TrickBot gang has evolved its malware with limitless possibilities by adding a flurry of updates. Even after the Microsoft-led coalition operation for shutdown, TrickBot malware has been coming back to life with stronger features than before.
What’s new this time
Recent collaborative research between Advanced Intelligence (AdvIntel) and Eclypsium has discovered Trickbot malware’s latest functionality, dubbed TrickBoot, designed to inspect the UEFI/BIOS firmware of targeted devices.
With the new TrickBoot capability, attackers get to perform activities such as the installation of firmware implants and backdoors, chaining exploitation, reversing ACM or microcode updates that patched hardware (eg. CPU) vulnerabilities, bypassing security controls, and destructing (bricking) the targeted device.
Furthermore, the Trickbot gang is reusing publicly available code to quickly and easily enable these UEFI-focused threats.
As of now, the TrickBot module only checks the SPI controller to check if BIOS write protection is enabled. The module has not been witnessed modifying the firmware itself, though it already contains code to read, write, and erase firmware.
Recent UEFI bootkit
According to the Kaspersky researchers team, a Chinese hacker group was using a UEFI bootkit named MosaicRegressor to target diplomatic entities and NGOs in Africa, Asia, and Europe in October.
The first UEFI rootkit
In September 2018, the well-known hacking group Fancy Bear (aka Sednit) was found using the first UEFI rootkit named LoJax to target a few government organizations in the Balkans as well as in Central and Eastern Europe in the wild, according to ESET researchers.
UEFI rootkits are dangerous tools for executing cyberattacks as they are harder to detect and capable of surviving security measures. According to experts, such innovations from criminals demonstrate the length a cybercriminal can go in order to gain the highest level of persistence on a victim machine.