New Trickbot variant can interfere with UEFI and BIOS

A close up image of red computer code on a black screen with the word malware displayed in white
(Image credit: Shutterstock)

Security researchers have discovered a variant of the Trickbot malware that can interact with a system’s BIOS or UEFI firmware, potentially bricking that device.

According to a new report by Advanced Intelligence (AdvIntel) and Eclypsium, the malware makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device.

This 'TrickBoot' functionality was first discovered in the wild at the end of October and can enable hackers to carry out such measures as the installation of firmware implants and backdoors or the bricking of a targeted device.

“It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets. Similar UEFI-focused threats have gone years before they have been detected. Indeed, this is precisely their value to attackers,” researchers said.

Researchers added that this development marks a significant step in the evolution of TrickBot, as firmware level threats carry unique strategic importance for attackers.

“By implanting malicious code in firmware, attackers can ensure their code is the first to run. Bootkits allow an attacker to control how the operating system is booted or even directly modify the OS to gain complete control over a system and subvert higher-layer security controls,” researchers said.

They said that as firmware remains on the motherboard, attackers can obtain ongoing persistence even if a system is re-imaged or a hard drive is replaced. The warned that if firmware is used to brick a device, the recovery scenarios are markedly different, and more difficult, than recovery from the traditional file-system encryption that a ransomware campaigns like Ryuk, for example, would require.

Researchers said that the addition of UEFI functionality marks “an important advance in this ongoing evolution by extending its focus beyond the operating system of the device to lower layers that are often not inspected by security products and researchers”.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.