IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New Trickbot variant can interfere with UEFI and BIOS

Researchers warn that threat actors could already be exploiting these flaws against high-value targets

Security researchers have discovered a variant of the Trickbot malware that can interact with a system’s BIOS or UEFI firmware, potentially bricking that device.

According to a new report by Advanced Intelligence (AdvIntel) and Eclypsium, the malware makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device. 

This 'TrickBoot' functionality was first discovered in the wild at the end of October and can enable hackers to carry out such measures as the installation of firmware implants and backdoors or the bricking of a targeted device. 

“It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets. Similar UEFI-focused threats have gone years before they have been detected. Indeed, this is precisely their value to attackers,” researchers said.

Researchers added that this development marks a significant step in the evolution of TrickBot, as firmware level threats carry unique strategic importance for attackers.

“By implanting malicious code in firmware, attackers can ensure their code is the first to run. Bootkits allow an attacker to control how the operating system is booted or even directly modify the OS to gain complete control over a system and subvert higher-layer security controls,” researchers said.

They said that as firmware remains on the motherboard, attackers can obtain ongoing persistence even if a system is re-imaged or a hard drive is replaced. The warned that if firmware is used to brick a device, the recovery scenarios are markedly different, and more difficult, than recovery from the traditional file-system encryption that a ransomware campaigns like Ryuk, for example, would require.

Researchers said that the addition of UEFI functionality marks “an important advance in this ongoing evolution by extending its focus beyond the operating system of the device to lower layers that are often not inspected by security products and researchers”.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
Millions of routers and NAS devices vulnerable to BotenaGo malware
malware

Millions of routers and NAS devices vulnerable to BotenaGo malware

12 Nov 2021

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022