The hackers behind TrickBot have updated the malware with a new functionality designed to inspect the UEFI/BIOS firmware of targeted systems and potentially deploy bootkits and take over the system.
The new feature, dubbed TrickBoot by Advanced Intelligence (AdvIntel) and Eclypsium, makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device. The new module targets all Intel-based systems released in the last five-plus years. According to Eclypsium analysis, most of these systems remain vulnerable to one of the multitudes of firmware vulnerabilities currently known.
“TrickBoot is only one line of code away fr om being able to brick any device it finds to be vulnerable. UEFI level destruction is more impactful than the run-of-the-mill ransomware tactic of encrypting hard drives. Recovering from a bricked UEFI means replacing the entire motherboard or attempting reflash of the UEFI firmware and is more labor-intensive than simply re-imagining or replacing a hard drive. The national security implications arising from a widespread malware campaign capable of bricking devices is enormous,” the researchers said.
While analyzing the new TrickBot attack chain, the researchers discovered a module named user_platform_check.dll, which caught their attention.
“As is often the case with new TrickBot modules, the name “PermaDll” or the original name as “user_platform_check.dll” caught the attention of Advanced Intelligence researchers during the October 2020 discovery of the new TrickBot attack chain.“Perma,” sounding akin to “permanent,” was intriguing enough on its own to want to understand this module’s role in TrickBot’s newest arsenal of loadable modules with the usual TrickBot export modules,” the researchers wrote.
TrickBoot targets the SPI flash chip wh ere the boot process begins, it uses the RwDrv.sys driver from the popular RWEverything tool to interact with the SPI controller and check if the BIOS control register is unlocked and the contents of the BIOS region can be modified.
The researchers note that for now, the TrickBot module is only checking the SPI controller to check if BIOS write protection is enabled or not and has not been seen modifying the firmware itself. However, the malware already contains code to read, write, and erase firmware, which could be used in destructive attacks in the future.
“Adversaries leveraging TrickBot now have an automated means to know which of their latest victim hosts are vulnerable to UEFI vulnerabilities, much like they tooled up beginning in 2017 to leverage EternalBlue and EternalRomance vulnerabilities for worming capabilities. Security teams should take action immediately to mitigate this risk,” the researchers warned.