One of the internet’s most aggressive threats could include UEFI malware

One of the internet’s most aggressive threats has just gotten nastier, with the ability to infect one of the most critical parts of any modern computer.

Trickbot is malware that stands out for its advanced capabilities. Its modular framework excels at gaining powerful administrator privileges, spreading quickly from computer to computer across networks, and performing discoveries that identify infected computers belonging to high-value targets. It often uses readily available software like Mimikatz or exploits like EternalBlue stolen from the National Security Agency.

Once a simple bank fraud Trojan horse, Trickbot has evolved over the years into a comprehensive malware-as-a-service platform. Trickbot operators sell access to their large number of infected machines to other criminals, who use the botnet to spread banking Trojans, ransomware and a host of other malware. Rather than having to go through the hassles of tricky victims themselves, customers have a bunch of ready-made computers that will run their criminal software.

The first link in the safety chain

Now Trickbot has gained a new power: the ability to modify the UEFI of a computer. Short for Unified Extensible Firmware Interface, UEFI is the software that connects a computer’s firmware to its operating system. As the first software to run when virtually any modern machine is on, it is the first link in the safety chain. Since UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove.

According to research results released Thursday, Trickbot has been updated to incorporate an obscured driver for RWEverything, a standard tool people use to write firmware to virtually any device.

For now, researchers have detected Trickbot using the tool only to test whether an infected machine is protected against unauthorized modifications by UEFI. But with just one line of code, the malware could be modified to infect or completely erase the critical part of the firmware.

“This activity sets the stage for TrickBot operators to perform more active measures such as installing firmware implants and backdoors or destroying (brick) a targeted device,” the article said Thursday. jointly published by security companies AdvIntel and Eclypsium. “It’s quite possible that threat actors are already exploiting these vulnerabilities against high-value targets.”

Rare for now

So far, there have only been two documented cases of real-world malware infecting UEFI. The first, discovered two years ago by security provider ESET, was made by Fancy Bear, one of the world’s most advanced hacker groups and an arm of the Russian government. By reusing a legitimate anti-theft tool known as LoJack, hackers were able to modify UEFI firmware to be reported to Fancy Bear servers rather than those owned by LoJack.

The second batch of real-world UEFI infections were discovered just two months ago by Moscow-based security company Kaspersky Lab. Company researchers found the malicious firmware on two computers, both of which belonged to diplomatic figures in Asia. The infections implanted a malicious file in a computer’s startup folder so that it runs every time the computer is started.

The motherboard resident flash chips that store UEFI have access control mechanisms that can be locked down during the boot process to prevent unauthorized firmware changes. Often, however, these protections are disabled, misconfigured, or hampered by vulnerabilities.

Large scale UEFI infections

For now, researchers have seen Trickbot use its newly acquired UEFI write capabilities to test if the protections are in place. The presumption is that malware operators compile a list of machines vulnerable to such attacks. Operators could then sell access to these machines. Customers pushing ransomware could use the list to overwrite UEFI to make a large number of machines unbootable. Trickbot customers eager to spy could use the list to install hard-to-detect backdoors on high-value network PCs.

The adoption by Trickbot of the UEFI write code threatens to generalize these attacks. Instead of being the dominance of advanced persistent threat groups that are typically funded by nation states, access to vulnerable computers at UEFI could be leased to the same lower-level criminals who now use Trickbot for others. types of malware attacks.

“The difference here is that TrickBot’s modular automated approach, robust infrastructure, and rapid mass deployment capabilities bring this trend to a new level of scale,” the researchers from AdvIntel and Eclypsium wrote. “All the elements are now in place for large-scale destructive or espionage-oriented campaigns that can target entire verticals or portions of critical infrastructure.”