Despite the recent optimistic reports from international cybersecurity organizations on the elimination of the TrickBot malware infrastructure, arrived a new version of the malware that can work with UEFI/BIOS.
In October of this year, I talked about a large-scale operation aimed at eliminating one of the largest botnets of our day, TrickBot. It was attended by law enforcement agencies, specialists from the Microsoft Defender team, the non-profit organization FS-ISAC, as well as ESET, Lumen, NTT and Symantec.
However, a little later, I published a post that despite Microsoft could disable the TrickBot infrastructure, most likely the botnet will still “survive”, and eventually its operators will put into operation new control servers and continue their activity.
Unfortunately, this is what happened. Over the past few weeks, TrickBot has received many updates: new obfuscation methods, new management infrastructure and new spam campaigns have been noticed.
Even worse, according to a recent joint report from Advanced Intelligence and Eclypsium, TrickBot not only continues to work and update, but also acquires new functionality, for example, it has learned to interfere with the work of UEFI/BIOS.
The new module responsible for this activity greatly alarmed the specialists, as it allows the malware to gain a foothold in the infected system and even “survive” OS reinstallation. Analysts also write that the functions of this module can be used to achieve other goals, for example:
- remote turning the device into a “brick” at the firmware level;
- bypass security mechanisms such as BitLocker, ELAM, Windows 10 Virtual Secure Mode, Credential Guard, as well as endpoint protections, including A/V, EDR, and so on;
- follow-up attack targeting Intel CSME vulnerabilities, some of which require access to SPI flash memory;
- Rollback ACM or microcode updates that fixed CPU vulnerabilities, including Specter, MDS, and so on.
In fact, this is the first time such functionality has been found in a financially motivated malware. Until recently, LoJax and MosaicRegressor were considered the only malware that could interfere with UEFI or BIOS. Moreover, both these malicious programs were created by government hackers (LoJax – Russian, and MosaicRegressor – Chinese).
Fortunately, for now, the new TrickBot module only checks the SPI controller to understand whether BIOS protection is enabled, but in fact does not make any changes to the firmware.
“However, the malware already contains code to read, write and delete the firmware”, — the experts emphasize.
Although the dangerous functionality is not yet fully functional, the very presence of this code in TrickBot implies that its creators plan to use it in some way. For example, this way, TrickBot operators will be able to maintain more reliable access to the networks of large corporations, or use the new module in ransomware attacks, with the spread of which TrickBot is often associated.
So, if the representatives of the affected company refuse to pay, the TrickBot module can be used to destroy the victim’s systems, experts say.
This module can be used to prevent incident response experts from gathering important evidence of attacks (by simply limiting the system’s bootability).
“The opportunities are almost endless”, — summarize Advanced Intelligence and Eclypsium.
According to Eclypsium, the authors of TrickBot did not develop this code from scratch. The analysis showed that the criminals adapted the publicly available code for their purposes:
“Specifically, TrickBot uses the RwDrv.sys driver from the popular RWEverything tool to communicate with the SPI controller, check if the BIOS Control Register is unlocked, and if changes can be made to the BIOS area”, the experts write.