The operators of TrickBot malware botnet
, have created a new module that can allow them to interact with an infected computer’s BIOS or UEFI firmware.
The security firms Advanced Intelligence and Eclypsium jointly published a report in which it was stated that the new capability was found inside part of a new TrickBot module that was first seen in the wild at the end of October.
The new module has features that would allow the TrickBot malware to establish more persistent footholds on infected systems that could even allow the malware to survive OS reinstalls.
According to the security firms, the new module’s features could be used for more than just better persistence, such as:
Remotely bricking a device at the firmware level via a typical malware remote connection.
Bypassing security controls
such as BitLocker, ELAM, Windows 10 Virtual Secure Mode, Credential Guard, endpoint protection controls like A/V, EDR, etc.
Setting up a follow-on attack that targets Intel CSME vulnerabilities, some of which require SPI flash access.
Reversing ACM or microcode updates that patched CPU vulnerabilities like Spectre, MDS, etc.
However, the TrickBot module is only checking the SPI controller to check if BIOS write protection is enabled or not, and has not been seen modifying the firmware itself. But still it has the code to read, write, and erase firmware. This suggests that the malware developers have plans to develop it.
This module could be used in ransomware attacks, in which the TrickBot gang is often involved by renting access to its network of bots to ransomware crews.
In case of companies that refuse to pay even after their networks are encrypted, then the botnet can destroy the systems.
The module could also be used to prevent incident responders from finding crucial important forensic evidence by crippling a system’s ability to boot-up.
The addition of this new feature to the TrickBot code marks the first time that UEFI/BIOS tampering capabilities are seen in common financially-motivated malware botnets.
The only known malware
strains that has the ability to tamper with UEFI or BIOS firmware were LoJax or MosaicRegressor which are developed by government-sponsored hacking groups — LoJax by Russian hackers and MosaicRegressor by Chinese hackers.
According to Eclypsium, the TrickBot gang did not develop the code from scratch. On analysis it was found that the gang has adapted publicly available code into a specialized module they could install on infected systems via the first-stage TrickBot loader.
Eclypsium said that TrickBot uses the RwDrv.sys driver from the popular RWEverything tool to interact with the SPI controller to check if the BIOS control register is unlocked and the contents of the BIOS region can be modified.
RWEverything (read-write everything) is a powerful tool allows an attacker to write to the firmware on virtually any device component, including the SPI controller that governs the system UEFI/BIOS. So, an attacker can write malicious code to the system firmware, ensuring that attacker code executes before the operating system while also hiding the code outside of the system drives.
It is also important to note that the TrickBot is slowly coming back to life with new stronger features after a failed takedown attempt.