Security researchers have discovered a variant of the Trickbot malware that can interact with a system’s BIOS or UEFI firmware, potentially bricking that device.
According to a new report by Advanced Intelligence (AdvIntel) and Eclypsium, the malware makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device.
This 'TrickBoot' functionality was first discovered in the wild at the end of October and can enable hackers to carry out such measures as the installation of firmware implants and backdoors or the bricking of a targeted device.
“It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets. Similar UEFI-focused threats have gone years before they have been detected. Indeed, this is precisely their value to attackers,” researchers said.
Researchers added that this development marks a significant step in the evolution of TrickBot, as firmware level threats carry unique strategic importance for attackers.
“By implanting malicious code in firmware, attackers can ensure their code is the first to run. Bootkits allow an attacker to control how the operating system is booted or even directly modify the OS to gain complete control over a system and subvert higher-layer security controls,” researchers said.
They said that as firmware remains on the motherboard, attackers can obtain ongoing persistence even if a system is re-imaged or a hard drive is replaced. The warned that if firmware is used to brick a device, the recovery scenarios are markedly different, and more difficult, than recovery from the traditional file-system encryption that a ransomware campaigns like Ryuk, for example, would require.
Researchers said that the addition of UEFI functionality marks “an important advance in this ongoing evolution by extending its focus beyond the operating system of the device to lower layers that are often not inspected by security products and researchers”.
