One of the most aggressive threats on the internet has just gotten meaner as it can infect one of the most critical parts of a modern computer.
Trickbot is malware that is distinguished by its advanced features. The modular framework is characterized by gaining powerful administrative privileges, quickly spreading from computer to computer in networks, and performing reconnaissance that identifies infected computers that belong to high value targets. It often uses readily available software like Mimikatz or exploits like EternalBlue that have been stolen by the National Security Agency.
Once a simple banking fraud Trojan, Trickbot has grown into a full featured malware-as-a-service platform over the years. Trickbot operators sell access to their large numbers of infected computers to other criminals who use the botnet to distribute banking Trojans, ransomware, and a host of other malicious software. Instead of having to go to the trouble of seducing victims on their own, customers have a pre-built set of computers to run their crimeware on.
The first link in the safety chain
Now Trickbot has got a new power: the ability to change a computer's UEFI. UEFI stands for Unified Extensible Firmware Interface and is the software that connects the device firmware of a computer with the operating system. As the first software to run when virtually every modern machine is switched on, it is the first link in the safety chain. Since the UEFI is in a flash chip on the motherboard, infections are difficult to detect and remove.
According to research released Thursday, Trickbot has been updated to include a disguised driver for RWEverything, a standard tool that allows users to write firmware on virtually any device.
Currently, researchers have found that Trickbot only uses the tool to test whether an infected computer is protected from unauthorized changes to the UEFI. However, with a single line of code, the malware can be modified to infect or completely erase the critical firmware.
"This activity gives TrickBot operators the opportunity to take more active measures such as installing firmware implants and back doors or destroying (brick) a target device," said the jointly published article by security firms AdvIntel and Eclypsium on Thursday. "It is entirely possible that threat actors are already exploiting these vulnerabilities against high-value targets."
Rarely for the time being
To date, there have only been two documented cases of real world malware infecting the UEFI. The first, discovered two years ago by security vendor ESET, was carried out by Fancy Bear, one of the world's most advanced hacking groups and an arm of the Russian government. By repurposing a legitimate anti-theft tool called LoJack, the hackers were able to modify the UEFI firmware so that it was reported to Fancy Bear servers rather than LoJack servers.
The second batch of real-world UEFI infections was discovered just two months ago by the Moscow-based security firm Kaspersky Lab. Corporate researchers found the malicious firmware on two computers owned by diplomatic agents in Asia. The infections put a malicious file in a computer's startup folder so that it could run every time the computer started.
The flash chips on the motherboard on which the UEFI is stored have access control mechanisms that can be locked during the startup process in order to prevent unauthorized firmware changes. However, these protective functions are often deactivated, configured incorrectly or hindered by security gaps.
UEFI infections on a scale
At the moment, the researchers have seen Trickbot use the newly acquired UEFI write capabilities to test if the protection is in place. It is assumed that the malware operators compile a list of computers that are susceptible to such attacks. The operators could then sell access to these machines. Customers using ransomware can use the list to override the UEFI and render a large number of computers unbootable. Trickbot customers keen on spying could use the list to place hard-to-spot backdoors on PCs on high-quality networks.
Trickbot's adoption of UEFI code threatens to make such attacks mainstream. Instead of being dominated by advanced persistent threat groups, usually nation-state funded, access to UEFI-compromised computers could be leased to the same lower-ranking criminals that Trickbot is now using for other types of malware attacks.
"The difference is that TrickBot's modular automated approach, robust infrastructure, and fast mass-provisioning capabilities add a new level of scalability to this trend," write the researchers at AdvIntel and Eclypsium. "All parts are now suitable for destructive or espionage-oriented mass campaigns that can target entire industries or parts of the critical infrastructure."