One of the Internet’s most aggressive threats has just gotten meaner, with the ability to infect one of the most critical parts of any modern-day computer.
Trickbot is a piece of malware that’s notable for its advanced capabilities. Its modular framework excels at gaining powerful administrator privileges, spreading rapidly from computer to computer in networks, and performing reconnaissance that identifies infected computers belonging to high-value targets. It often uses readily available software like Mimikatz or exploits like EternalBlue stolen from the National Security Agency.
Once a simple banking fraud trojan, Trickbot over the years has evolved into a full-featured malware-as-a-service platform. Trickbot operators sell access to their vast number of infected machines to other criminals, who use the botnet to spread bank trojans, ransomware, and a host of other malicious software. Rather than having to go through the hassle of ensnaring victims themselves, customers have a ready-made group of computers that will run their crimeware.
The first link in the security chain
Now, Trickbot has acquired a new power: the ability to modify a computer’s UEFI. Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer’s device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it’s the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove.
According to research findings published on Thursday, Trickbot has been updated to incorporate an obfuscated driver for RWEverything, an off-the-shelf tool that people use to write firmware to virtually any device.
At the moment, researchers have detected Trickbot using the tool only to test whether an infected machine is protected against unauthorized changes to the UEFI. But with a single line of code, the malware could be modified to infect or completely erase the critical piece of firmware.
“This activity sets the stage for TrickBot operators to perform more active measures such as the installation of firmware implants and backdoors or the destruction (bricking) of a targeted device,” Thursday’s post jointly published by security firms AdvIntel and Eclypsium stated. “It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets.”
Rare for now
So far, there have been only two documented cases of real-world malware infecting the UEFI. The first one, discovered two years ago by security provider ESET, was done by Fancy Bear, one of the world’s most advanced hacker groups and an arm of the Russian government. By repurposing a legitimate antitheft tool known as LoJack, the hackers were able to modify UEFI firmware so that it reported to Fancy Bear servers rather than ones belonging to LoJack.
The second batch of real-world UEFI infections were uncovered only two months ago by Moscow-based security firm Kaspersky Lab. Company researchers found the malicious firmware on two computers, both of which belonged to diplomatic figures located in Asia. The infections planted a malicious file in a computer’s startup folder so it would run whenever the computer booted up.
The motherboard-resident flash chips that store the UEFI have access control mechanisms that can be locked during the boot process to prevent unauthorized firmware changes. Often, however, these protections are turned off, misconfigured, or hampered by vulnerabilities.
UEFI infections at scale
At the moment, the researchers have seen Trickbot using it’s newly acquired UEFI-writing capabilities to test if the protections are in place. The presumption is that the malware operators are compiling a list of machines that are vulnerable to such attacks. The operators could then sell access to those machines. Customers pushing ransomware could use the list to overwrite the UEFI to make large numbers of machines unbootable. Trickbot clients intent on espionage could use the list to plant hard-to-detect backdoors on PCs in high-value networks.
Trickbot’s embrace of UEFI-writing code threatens to make such attacks mainstream. Instead of being the dominion of advanced persistent threat groups that typically are funded by nation states, access to UEFI-vulnerable computers could be rented out to the same lower-echelon criminals who now use Trickbot for other types of malware attacks.
“The difference here is that TrickBot’s modular automated approach, robust infrastructure, and rapid mass-deployment capabilities bring a new level of scale to this trend,” AdvIntel and Eclypsium researchers wrote. “All pieces are now in place for mass-scale destructive or espionage-focused campaigns that can target entire verticals or portions of critical infrastructure.”