One of the Internet’s most aggressive threats has just gotten meaner, with the ability to infect one of the most critical parts of any modern-day computer.
Trickbot is a piece of malware that’s notable for its advanced capabilities. Its modular framework excels at gaining powerful administrator privileges, spreading rapidly from computer to computer in networks and performing reconnaissance that identifies infected computers belonging to high-value targets. It often uses readily available software like Mimikatz or exploits like EternalBlue stolen from the National Security Agency.
Once a simple banking fraud trojan, Trickbot over the years has evolved into a full-featured malware-as-a-service platform. Trickbot operators sell access to their vast number of infected machines to other criminals, who use the botnet to spread bank trojans, ransomware, and a host of other malicious software. Rather than having to go through the hassle of ensnaring victims themselves, customers have a ready-made group of computers that will run their crimeware.
The first link in the security chain
Now, Trickbot has acquired a new power: the ability to modify a computer’s UEFI. Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer’s device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it’s the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove.
According to research findings published on Thursday, Trickbot has been updated to incorporate an obfuscated driver for RWEverything, an off-the-shelf tool that people use to write firmware to virtually any device.
At the moment, researchers have detected Trickbot using the tool only to test whether an infected machine is protected against unauthorized changes to the UEFI. But with a single line of code, the malware could be modified to infect or completely erase the critical piece of firmware.
“This activity sets the stage for TrickBot operators to perform more active measures such as the installation of firmware implants and backdoors or the destruction (bricking) of a targeted device,” Thursday’s post jointly published by security firms AdvIntel and Eclypsium stated. “It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets.”