[ad_1]
In just the Over the past two months, the cybercriminal controlled botnet known as TrickBot has become, by action, the number one public enemy of the cybersecurity community. He survived the pullout attempts by Microsoft, a super-group of security companies and even US Cyber Command. It now appears that the hackers behind TrickBot are trying a new technique to infect the deepest recesses of infected machines, going beyond their operating systems and into their firmware.
Security companies AdvIntel and Eclypsium today revealed that they have spotted a new component of the Trojan that TrickBot hackers use to infect machines. The previously undiscovered module checks for vulnerabilities in victimized computers that would allow hackers to plant a backdoor in deep code known as the Unified Extensible Firmware Interface, which is responsible for loading a device’s operating system during its start. Because UEFI sits on a chip on the computer’s motherboard outside of its hard drive, planting malicious code there would allow TrickBot to evade most virus detections, software updates, or even a full erase and reinstallation of the computer operating system. It could also be used to “brick” target computers, corrupting their firmware to the extent that the motherboard would need to be replaced.
The use of this technique by TrickBot operators, which researchers refer to as “TrickBoot”, makes the hacker group one of the few – and the first non-state sponsored – to have experimented with the nature with UEFI-targeted malware, says Vitali Kremez, cybersecurity researcher for AdvIntel and CEO of the company. But TrickBoot also represents an insidious new tool in the hands of a brazen group of criminals – one that has previously used its roots in organizations to plant ransomware and partnered with North Korean hackers focused on the flight. “The group is looking for new ways to achieve very advanced persistence on systems, survive all software updates and get into the heart of the firmware,” says Kremez. If they do manage to penetrate the firmware of a victim machine, Kremez adds, “the possibilities are endless, from destruction to taking control of the system.”
While TrickBoot searches for a vulnerable UEFI, researchers have yet to observe the actual code that would compromise it. Kremez believes that hackers probably only download a firmware hacking payload to certain vulnerable computers once they are identified. “We think they hand-picked high value targets of interest,” he says.
The hackers behind TrickBot, generally thought to be based in Russia, have gained a reputation as some of the most dangerous hackers on the internet. Their botnet, which at its peak included more than a million slave machines, has been used to implant ransomware like Ryuk and Conti into the networks of countless victims, including hospitals and medical research centers. The botnet was seen as threatening enough that two separate operations attempted to disrupt it in October: one, led by a group of companies including Microsoft, ESET, Symantec and Lumen Technologies, sought to use court orders to cut TrickBot’s connections to the United States. command and control servers based on. Another concurrent US Cyber Command operation essentially hacked the botnet, sending new configuration files to its compromised computers designed to cut them off from TrickBot operators. It is not known to what extent the hackers rebuilt TrickBot, although they have added at least 30,000 victims to their collection since then by compromising new computers or buying access from other hackers, according to the security company. Hold Security.
AdvIntel’s Kremez discovered TrickBot’s new firmware-focused feature – whose modular design allows it to download new components on the fly to victims’ computers – in a sample of the malware in late October, just after the two attempts withdrawal. He believes this could be part of an attempt by TrickBot operators to gain a foothold that can survive on target machines despite the growing notoriety of their malware in the security industry. “Because the whole world is watching, they lost a lot of robots,” says Kremez. “So their malware has to be stealthy, and that’s why we think they’ve focused on this mod.”
After determining that the new code was aimed at firmware interference, Kremez shared the module with Eclypsium, which specializes in firmware and microarchitecture security. Eclypsium analysts determined that the new component found by Kremez did not actually modify the firmware of a victim PC itself, but rather looked for a common vulnerability in Intel UEFIs. PC makers that implement Intel’s UEFI firmware often do not set certain bits of this code designed to prevent tampering. Eclypsium estimates that the configuration problem persists in tens of millions, if not hundreds of millions of PCs. “They are able to look and identify, OK, that’s a target we’re going to be able to make this firmware-based attack on more invasive or more persistent,” said Jesse Michaels, principal investigator at Eclypsium. “It seems valuable for this type of generalized campaign where their specific objectives may be ransomware, brick systems, the ability to persist in environments.”
[ad_2]
Source link