In just the Over the past two months, the cybercriminal controlled botnet known as TrickBot has become, by action, the number one public enemy of the cybersecurity community. He survived the takedown attempts by Microsoft, a super-group of security companies, and even US Cyber Command. It now appears that the hackers behind TrickBot are trying a new technique to infect the deepest recesses of infected machines, going beyond their operating systems and into their firmware.
Security companies AdvIntel and Eclypsium today revealed that they have spotted a new component of the Trojan that TrickBot hackers use to infect machines. The previously undiscovered module checks for vulnerabilities in victimized computers that would allow hackers to plant a backdoor in deep code known as the Unified Extensible Firmware Interface, which is responsible for loading a device’s operating system during its start. Because UEFI sits on a chip on the computer’s motherboard outside of its hard drive, planting malicious code there would allow TrickBot to escape most virus detection, software updates, or even a total erasure and reinstallation of the computer operating system. It could also be used to “brick” target computers, corrupting their firmware to the point that the motherboard would need to be replaced.
The use by TrickBot operators of this technique, which researchers call “TrickBoot”, makes the hacker group one of the few – and the first that is not sponsored by the state – to have experimented in the nature with UEFI-targeted malware, says Vitali Kremez, cybersecurity researcher for AdvIntel and CEO of the company. But TrickBoot also represents an insidious new tool in the hands of a brazen group of criminals – one that has already used its presence within organizations to vegetable ransomware and teamed up with North Korean hackers focused on theft. “The group is looking for new ways to achieve very advanced persistence on systems, survive all software updates and get deep into the firmware,” says Kremez. If they do manage to penetrate the firmware of a victim machine, Kremez adds, “the possibilities are endless, from destruction to taking control of the system.”
While TrickBoot searches for a vulnerable UEFI, researchers have yet to observe the actual code that would compromise it. Kremez believes that hackers probably only download a firmware hacking payload to certain vulnerable computers once they are identified. “We think they hand-picked high value targets of interest,” he says.
The hackers behind TrickBot, generally considered to be based in Russia, have gained a reputation as some of the most dangerous hackers on the internet. Their botnet, which at its peak included more than a million slave machines, has been used to implant ransomware like Ryuk and Conti into the networks of countless victims, including hospitals and medical research centers. The botnet was considered threatening enough that two separate operations attempted to disrupt it in October: One, led by a group of companies including Microsoft, ESET, Symantec and Lumen Technologies, sought to use court orders to cut TrickBot’s connections to US-based command and control servers. Another concurrent US Cyber Command operation essentially hacked the botnet, sending new configuration files to its compromised computers designed to cut them off from TrickBot operators. It is not known to what extent the hackers rebuilt TrickBot, although they have added at least 30,000 victims to their collection since then by compromising new computers or buying access from other hackers, according to the security company. Hold Security.
AdvIntel’s Kremez discovered TrickBot’s new firmware-centric feature – whose modular design allows it to download new components on the fly to victims’ computers – in a sample of the malware in late October, just after the two. withdrawal attempts. He believes this could be part of an attempt by TrickBot operators to gain a foothold that can survive on target machines despite the growing notoriety of their malware in the security industry. “Because the whole world is watching, they’ve lost a lot of robots,” Kremez says. “So their malware has to be stealthy, and that’s why we think they’ve focused on this mod.”
After determining that the new code was aimed at firmware interference, Kremez shared the module with Eclypsium, which specializes in firmware and microarchitecture security. Eclypsium analysts determined that the new component found by Kremez did not actually modify the firmware of a victim PC itself, but rather looked for a common vulnerability in Intel UEFIs. PC makers that implement Intel’s UEFI firmware often do not set certain bits of this code designed to prevent tampering. Eclypsium estimates that the configuration problem persists in tens of millions, if not hundreds of millions of PCs. “They are able to look and identify, OK, that’s a target we’re going to be able to make this firmware-based attack on more invasive or more persistent,” said Jesse Michaels, principal investigator at Eclypsium. “It seems valuable for this type of generalized campaign where their specific objectives may be ransomware, brick systems, the ability to persist in environments.”