New Trickbot variant can interfere with UEFI and BIOS

Researchers warn that threat actors could already be exploiting these flaws against high-value targets

Security researchers have discovered a variant of the Trickbot malware that can interact with a system’s BIOS or UEFI firmware, potentially bricking that device.

According to a new report by Advanced Intelligence (AdvIntel) and Eclypsium, the malware makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device. 

This 'TrickBoot' functionality was first discovered in the wild at the end of October and can enable hackers to carry out such measures as the installation of firmware implants and backdoors or the bricking of a targeted device. 

“It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets. Similar UEFI-focused threats have gone years before they have been detected. Indeed, this is precisely their value to attackers,” researchers said.

Researchers added that this development marks a significant step in the evolution of TrickBot, as firmware level threats carry unique strategic importance for attackers.

“By implanting malicious code in firmware, attackers can ensure their code is the first to run. Bootkits allow an attacker to control how the operating system is booted or even directly modify the OS to gain complete control over a system and subvert higher-layer security controls,” researchers said.

They said that as firmware remains on the motherboard, attackers can obtain ongoing persistence even if a system is re-imaged or a hard drive is replaced. The warned that if firmware is used to brick a device, the recovery scenarios are markedly different, and more difficult, than recovery from the traditional file-system encryption that a ransomware campaigns like Ryuk, for example, would require.

Researchers said that the addition of UEFI functionality marks “an important advance in this ongoing evolution by extending its focus beyond the operating system of the device to lower layers that are often not inspected by security products and researchers”.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Android malware vendor teams with marketer to promote new malware
malware

Android malware vendor teams with marketer to promote new malware

11 Jan 2021
Python-based malware steals Outlook files and browser credentials
malware

Python-based malware steals Outlook files and browser credentials

15 Dec 2020
Subway UK customers targeted by Trickbot hackers
hacking

Subway UK customers targeted by Trickbot hackers

14 Dec 2020
Power banks could infect your smartphone with malware
malware

Power banks could infect your smartphone with malware

9 Dec 2020

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021