Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:40 PM
Connect Directly

TrickBot's New Tactic Threatens Firmware

A newly discovered module checks machines for flaws in the UEFI/BIOS firmware so malware can evade detection and persist on a device.

TrickBot malware has a new, and dangerous, trick: A recently identified module inspects target devices for firmware vulnerabilities that enable attackers to read, write, or erase the UEFI/BIOS firmware. With this level of access, one could install a backdoor or "brick" an infected machine.

Related Content:

Like the Energizer Bunny, Trickbot Goes On and On

The Changing Face of Threat Intelligence

New on The Edge: Loyal Employee ... or Cybercriminal Accomplice?

The malware was first identified in 2016 and initially considered a banking Trojan, used to steal financial data. Since then, it has evolved into a full-fledged operation and appears in different types of malware campaigns. TrickBot has been spotted working with Emotet to deliver Ryuk ransomware; it uses the EternalBlue exploit to spread across hosts in a target network via Server Message Block. 

Earlier this year, US Cyber Command and a Microsoft-led private industry group attempted to take TrickBot down; weeks later, researchers noticed a new version being distributed via spam.

Now, it's attempting to infiltrate the lowest level of target devices by checking for firmware flaws, researchers with Eclypsium and Advanced Intelligence (AdvIntel) report. A module they found in October 2020 "marks a significant step in the evolution of TrickBot," a threat that has consistently incorporated new capabilities to become stealthier and more malicious over time.

In this module, TrickBot uses a driver from the RWEverything tool to interact with the SPI controller and check if the BIOS control register is unlocked and contents of the BIOS region can be changed. RWEverything (read-write everything), the researchers say, could let an attacker write to the firmware on "virtually any device component," including the SPI controller that controls the system firmware. This would let the attacker write code to the system firmware, ensuring the malicious code executes before the operating system during the boot process.

The focus on UEFI in this so-called "TrickBoot" module indicates its operators are thinking beyond the operating system to target lower device layers that security tools often miss. Because firmware is stored on the motherboard and not in the system drives, UEFI-focused threats enable attackers to remain persistent after a system is reimaged or an infected hard drive is replaced.

"Once you've done that, you've escaped the rest of the entire security stack's ability to detect," says Scott Scheferman, principal cyber strategist at Eclypsium. "And you've gained persistence by doing that as well, that you can't eradicate or even detect in most organizations." 

In a writeup, researchers discuss what an attacker could do with this level of access. TrickBot operators could brick any device they find vulnerable. UEFI persistence could enable them to disable most OS-level security controls, allowing them to resurface with no endpoint security. They could land on thousands of hosts per day and learn which are vulnerable to UEFI attacks.

There are several reasons why TrickBot is moving in this direction, the researchers believe. The malware has become a key area of focus among defenders and security researchers, notes Vitali Kremez, CEO and chairman at AdvIntel. Given this ubiquity, it's necessary for its operators to innovate so they can stay ahead of corporate antivirus and endpoint security products.

"We see maturity and professionalization of the space, where the criminal groups are professionals like us. … They run their business as a company," Kremez explains. "It's not the coding of the tool, the level of attention, the thought process behind a crime that makes it more interesting. It's the level of criminal intent — it's elevated, so to speak." 

The capabilities seen in TrickBoot have been demonstrated by other attackers seeking persistence in firmware, researchers note. What's dangerous about this discovery is TrickBot's spread: In the last two months of infections, TrickBot has peaked at 40,000 in one day. Further, attackers don't need device access or a complex technique to make it work.

"This isn't some esoteric, nation-state, spy-level thing," says Scheferman. "This is commodity, massive, wide-scale criminal malware that has everything it needs in tooling to know what vulnerability to hit, and hit it."

What Happens if TrickBoot Hits?
Recovering from an attack like this is more involved and expensive compared with traditional malware attacks, the researchers report. Corrupted UEFI firmware requires replacing or reflashing the motherboard, which is more labor-intensive than replacing the hard drive. 

"A lot of times IT will have hot spares for drives and memory, and some of these replaceable components are more common to fail," says Jesse Michael, principal research with Eclypsium. "But replacing the server, or motherboard, or an entire laptop is a much heavier issue." IT may have a playbook to replace a server that won't boot; it's less likely they're prepared to replace several servers at the same time. 

The potential for this type of attack is especially concerning for operational environments, where uptime is top priority, Scheferman adds. A TrickBoot attack couldn't be remediated with their existing incident response playbooks and cause "devastating downtime," he adds.

While its capabilities have potential to be "a significant development," defenders should be cautious when attempting to determine the attacker's intent without further evidence, says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

"Threat actor capability does not always translate into real-world actions, but network defenders should assess their capabilities to detect UEFI modifications and what the implications of such attacks have on incident response and recovery," she explains.

There are steps businesses can take to prepare before an incident strikes. Scheferman advises first understanding which portions of an environment are vulnerable to this type of attack. Gain visibility; learn which devices at the firmware level may be what this module is looking for.

"One thing to keep in mind is that a lot of enterprises don't have visibility into firmware," says Michael. "Making sure firmware updates are also part of their management process and IT process, making sure that component is also updated, is a key point of their enterprise process that they need to be aware of." 

While many admins prioritize patches pushed via Windows Update or Linux, firmware patches may fall by the wayside when a vendor shares them. These are also generally more difficult to apply to systems, he adds, adding another challenge for businesses that learn they need them.  

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...