The malicious software known as TrickBot has morphed again, this time with a module that probes booting process firmware for vulnerabilities, possibly setting the stage for attacks that could ultimately destroy devices, researchers say.
Two cybersecurity companies, Eclypsium and Advanced Intelligence (Advintel), dubbed the TrickBot add-on module “TrickBoot,” since it targets the UEFI/BIOS firmware. Firmware is permanent code programmed into a hardware device, while UEFI and BIOS are two kinds of specifications that manage a device’s start-up.
TrickBoot, then, is a “significant step in the evolution of TrickBot,” the researchers say, that could make TrickBot especially pesty.
“Since firmware is stored on the motherboard as opposed to the system drives, these threats can provide attackers with ongoing persistence even if a system is re-imaged or a hard drive is replaced,” they wrote.”Equally impactful, if firmware is used to brick a device, the recovery scenarios are markedly different (and more difficult) than recovery from the traditional file-system encryption that a ransomware campaign like Ryuk, for example, would require.”
It’s also not the only evolution from TrickBot of late, which has gone to pains to conceal itself as it rebounds from separate attempts by U.S. Cyber Command and a Microsoft-led coalition to disrupt the TrickBot botnet before the 2020 election.
Both Microsoft and the National Security Agency have developed initiatives to protect firmware and boot processes, given the target they pose for hackers who might be able to exploit them to obtain control of complete systems.
Researchers made the TrickBoot discovery in October from a machine in a honeypot network, which are set up to imitate a real target, said Vitali Kremez, CEO of Advintel.
So far, researchers say they have seen TrickBoot performing reconnaissance in a bid to detect firmware vulnerabilities. But the code has a helper function for commands like, read, write and erase, so its ability to “brick” a device is more than theoretical, said Jesse Michael, principal researcher at Eclypsium.
“They clearly have the functionality and knowledge of how to turn this into a more destructive attack, rather than just looking for victims who are vulnerable to this type of attack,” he said.
The researchers also offered a particularly dire warning.
“Given that the TrickBot group toolset has been used by some of the most notorious criminal, Russian, and North Korean actors to target healthcare, finance, telecoms, education, and critical infrastructure, we view this development as critically important to both enterprise risk and national security,” they wrote. “Adversaries leveraging TrickBot now have an automated means to know which of their latest victim hosts are vulnerable to UEFI vulnerabilities, much like they tooled up beginning in 2017 to leverage EternalBlue and EternalRomance vulnerabilities for worming capabilities.”