Notorious TrickBot Malware Strikes Back With New Tactic

TrickBot malware is morphing. Yet again.

In recent months, it's survived multiple takedown attempts by a Microsoft-led coalition and the US Cyber Command.

Now the hackers behind TrickBot are trying a new technique to infect the deepest recesses of infected machines, reaching beyond their operating systems and into their firmware.

According to a joint research by security firms AdvIntel and Eclypsium, the new TrickBot module, dubbed TrickBoot, checks victim computers for vulnerabilities that would allow the hackers to plant a backdoor in the Unified Extensible Firmware Interface (UEFI), which is responsible for loading a device's operating system when it boots up.

Because the UEFI sits on a chip on the computer's motherboard outside of its hard drive, planting malicious code in the region would make it possible to evade most antivirus detection, software updates, or even a total wipe and reinstallation of the computer's operating system.

Worse, it could be used to "brick" target computers, corrupting their firmware to the degree that the motherboard would need to be replaced.

Prior to TrickBoot, the only malware strains known to have the ability to meddle with UEFI or BIOS firmware were LoJax (deployed by Russia's Fancy Bear team) and MosaicRegressor.

Although the new module's capabilities limit it to checking for a vulnerable UEFI — to probe if the firmware's write protections are enabled using RWEverything — it has not been seen altering or meddling with the firmware itself.

RWEverything (read-write everything) is an open-source tool that can be used to read or write from/to the firmware on any device, thus allowing an attacker to write malicious code and maintain persistence.

"However, the malware already contains code to read, write, and erase firmware," the researchers said. "These primitives could be used to insert code to maintain persistence [and] erase the BIOS region to completely disable the device as part of a destructive attack or ransomware campaign."

"The possibilities are almost limitless," the researchers added.

TrickBot emerged in 2016 as a banking trojan but has since evolved into a multi-purpose malware-as-a-service (MaaS) that infects systems with other malicious payloads designed to steal credentials, email, financial data, and spread file-encrypting ransomware such as Conti and Ryuk.

To date, the botnet has infected more than a million computers, according to Microsoft and its partners at Symantec, ESET, FS-ISAC, and Lumen.