TrickBot gets new UEFI attack capability that makes recovery incredibly hard



Researchers have seen a worrying development recently in TrickBot, a botnet that serves as an access gateway into enterprise networks for sophisticated ransomware and other cybercriminal groups. A new module enables the malware to scan for vulnerable UEFI configurations on infected systems and could enable attackers to brick systems or deploy low-level backdoors that are incredibly hard to remove.

“This marks a significant step in the evolution of TrickBot,” the researchers from security firms Eclypsium and Advanced Intelligence (AdvIntel) said in a new report released today. “UEFI level implants are the deepest, most powerful, and stealthy form of bootkits. Since firmware is stored on the motherboard as opposed to the system drives, these threats can provide attackers with ongoing persistence even if a system is re-imaged or a hard drive is replaced. Equally impactful, if firmware is used to brick a device, the recovery scenarios are markedly different (and more difficult) than recovery from the traditional file-system encryption that a ransomware campaign like Ryuk, for example, would require.”

What is TrickBot?

TrickBot is a malware threat that started out as a Trojan program focused on online banking fraud and credential theft and evolved into an extensible crimeware platform with a long list of capabilities that includes RDP scanning, lateral movement through SMB vulnerabilities, VNC-based remote access and more.

TrickBot’s operators, a group known in the security industry as The Trick or Overdose, use the Trojan to provide access into infected corporate networks to other threat actors, including those operating the Ryuk ransomware. TrickBot has also been used to distribute backdoors associated with Lazarus group, North Korea’s state-run hacking team, and researchers suspect the TrickBot operators are increasingly catering to APT groups and high-profile cybercrime gangs.

In October, Microsoft, together with several other companies, launched a coordinated effort to disrupt TrickBot’s command-and-control infrastructure and while that action has seen considerable success, the botnet is still alive and the hackers are fighting to regain control. New campaigns that distribute the malware have been observed last month.

The UEFI module

Researchers from AdvIntel observed a new TrickBot module, called called PermaDll32, being delivered to victims in October. The name caught their attention as it sounded derived from the word “permanent” suggesting some sort of persistency mechanism. Analysis of the module revealed that it was designed to read information from the BIOS or UEFI firmware of infected computers. This is the low-level code stored in the SPI flash memory chip of a computer’s motherboard and is responsible for initiating the hardware during the booting process and handing over control to the operating system.

Copyright © 2020 IDG Communications, Inc.


Source link