قالب وردپرس درنا توس
Home / Technology / TrickBot Malware causes the UEFI / BIOS Bootkit feature to remain undetected

TrickBot Malware causes the UEFI / BIOS Bootkit feature to remain undetected



Trickbot UEFI BIOS Bootkit Malware

TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolkit to focus on firmware vulnerabilities to potentially deploy bootkits and take full control of an infected system.

The new functionality, called “TrickBoot” by Advanced Intelligence (AdvIntel) and Eclypsium, uses readily available tools to check devices for known vulnerabilities that could allow attackers to inject malicious code into the UEFI / BIOS firmware of a device, giving attackers an effective mechanism for persistent malware storage.

“This marks an important step in the development of TrickBot, as UEFI-level implants are the deepest, most powerful and insidious form of bootkits,”

; the researchers said.

“By adding the ability to screen sacrificial devices for specific UEFI / BIOS firmware vulnerabilities, TrickBot players are able to target specific victims with firmware-level survivors or even device walling.”

UEFI is a firmware interface and a BIOS replacement that improves security and ensures that no malicious software has tampered with the boot process. Because UEFI facilitates loading of the operating system itself, such infections are resistant to OS installation or hard drive replacement.

Trickbot UEFI BIOS Bootkit Malware

TrickBot appeared in 2016 as a banking trojan, but has since evolved into a multi-purpose malware-as-a-service (MaaS) that infects systems with other malicious payloads designed to steal credentials, email, financial data and spread file-encrypting ransomware like Conti and Ryuk.

The modularity and versatility have made it an ideal tool for a diverse set of threat actors despite cyber providers’ attempts to take infrastructure down. It has also been observed in connection with Emotet campaigns to distribute Ryuk ransomware.

Trickbot UEFI BIOS Bootkit Malware

“Their most common attack chain begins largely via Emotet template spam campaigns, which then load TrickBot and / or other loaders, and move to attack tools such as PowerShell Empire or Cobalt Strike to achieve targets in relation to the victim organization being attacked,” said the researchers. “Often, at the end of the killing chain, either Conti or Ryuk ransomware is distributed.”

To date, botnets have infected more than one million computers, according to Microsoft and its partners at Symantec, ESET, FS-ISAC and Lumen.

From a reconnaissance module to an attack function

The latest addition to their arsenal suggests that TrickBot can not only be used to target systems a lot with ransomware and UEFI attacks, but also give criminals even more influence during ransom negotiations by leaving a hidden UEFI bootkit on the system for later use. .

The development is also another sign that opponents are expanding their focus beyond the unit’s operating system to lower tier to avoid detection and conduct destructive or espionage-focused campaigns.

TrickBot’s reconnaissance component, observed for the first time in October 2020 right after the take-off attempts organized by US Cyber ​​Command and Microsoft, targets Intel-based systems from Skylake through the Comet Lake chipset to investigate vulnerabilities in UEFI firmware to the infected machines.

In particular, the researchers found that TrickBoot targets the SPI flash chip that houses the UEFI / BIOS firmware, using a veiled copy of the RWEverything tool’s RwDrv.sys driver to check if the BIOS control registry is unlocked and the contents of the BIOS region can be changed.

Although the activity so far is limited to reconnaissance, it would not be a stretch if this possibility is extended to write malicious code to the system firmware, thus ensuring that the attacker code is run before the operating system and paves the way for the installation of backdoors. , or even the destruction of a targeted device.

In addition, given the size and scope of TrickBot, an attack of this type can have serious consequences.

“TrickBoot is just a line of code away from being able to brick any device it thinks is vulnerable,” the researchers noted. “The national security implications arising from a comprehensive malicious campaign capable of walling devices are enormous.”

With UEFI endurance, “TrickBot operators can disable all OS-level security controls they want, which then allow them to transfer to a modified OS with castrated endpoint protection and perform unintentionally timed targets on their side.”

To reduce such threats, it is recommended that firmware be kept up to date, BIOS write protection enabled, and firmware integrity verified to protect against unauthorized changes.




Source link