New Trickbot variant can interfere with UEFI and BIOS

Researchers warn that threat actors could already be exploiting these flaws against high-value targets

Security researchers have discovered a variant of the Trickbot malware that can interact with a system’s BIOS or UEFI firmware, potentially bricking that device.

According to a new report by Advanced Intelligence (AdvIntel) and Eclypsium, the malware makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device. 

This 'TrickBoot' functionality was first discovered in the wild at the end of October and can enable hackers to carry out such measures as the installation of firmware implants and backdoors or the bricking of a targeted device. 

“It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets. Similar UEFI-focused threats have gone years before they have been detected. Indeed, this is precisely their value to attackers,” researchers said.

Researchers added that this development marks a significant step in the evolution of TrickBot, as firmware level threats carry unique strategic importance for attackers.

“By implanting malicious code in firmware, attackers can ensure their code is the first to run. Bootkits allow an attacker to control how the operating system is booted or even directly modify the OS to gain complete control over a system and subvert higher-layer security controls,” researchers said.

They said that as firmware remains on the motherboard, attackers can obtain ongoing persistence even if a system is re-imaged or a hard drive is replaced. The warned that if firmware is used to brick a device, the recovery scenarios are markedly different, and more difficult, than recovery from the traditional file-system encryption that a ransomware campaigns like Ryuk, for example, would require.

Researchers said that the addition of UEFI functionality marks “an important advance in this ongoing evolution by extending its focus beyond the operating system of the device to lower layers that are often not inspected by security products and researchers”.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Security best practices for PostgreSQL

Securing data with PostgreSQL

Download now

Transform your MSP business into a money-making machine

Benefits and challenges of a recurring revenue model

Download now

The care and feeding of cloud

How to support cloud infrastructure post-migration

Watch now

Recommended

Weakness in Mamba ransomware could help recover data
ransomware

Weakness in Mamba ransomware could help recover data

26 Mar 2021
Invoice ZLoader campaign hides within encrypted Excel docs
malware

Invoice ZLoader campaign hides within encrypted Excel docs

8 Mar 2021
MacBook users warned against EvilQuest ransomware
ransomware

MacBook users warned against EvilQuest ransomware

19 Feb 2021
Agent Tesla malware evades security controls to infect systems
malware

Agent Tesla malware evades security controls to infect systems

3 Feb 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Data belonging to 500 million LinkedIn users found for sale on hacker marketplace
hacking

Data belonging to 500 million LinkedIn users found for sale on hacker marketplace

8 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021