The operators of the TrickBot malware botnet have added a new capability that can allow them to interact with an infected computer’s BIOS or UEFI firmware.
The new capability was spotted inside part of a new TrickBot module, first seen in the wild at the end of October, security firms Advanced Intelligence and Eclypsium said in a joint report published today.
The new module has security researchers worried as its features would allow the TrickBot malware to establish more persistent footholds on infected systems, footholds that could allow the malware to survive OS reinstalls.
In addition, AdvIntel and Eclypsium say the new module’s features could be used for more than just better persistence, such as:
Remotely bricking a device at the firmware level via a typical malware remote connection.
Bypassing security controls such as BitLocker, ELAM, Windows 10 Virtual Secure Mode, Credential Guard, endpoint protection controls like A/V, EDR, etc.
Setting up a follow-on attack that targets Intel CSME vulnerabilities, some of which require SPI flash access.
Reversing ACM or microcode updates that patched CPU vulnerabilities like Spectre, MDS, etc.
But the good news is that “thus far, the TrickBot module is only checking the SPI controller to check if BIOS write protection is enabled or not, and has not been seen modifying the firmware itself,” according to AdvIntel and Eclypsium.
“However, the malware already contains code to read, write, and erase firmware,” the two companies added.
Researchers say that even if the feature has not been deployed to its full extent just yet, the fact that the code is present inside TrickBot suggests its creators plan to use it in certain scenarios.
By Catalin Cimpanu | December 3, 2020
