Trickbot evolves, adding firmware-level threat to its repertoire, report says

Dive Brief:

Trickbot added a function focusing on Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS) firmware, according to research from Advanced Intelligence (AdvIntel) and Eclypsium. The function can lead to bricking devices on the firmware level.
The companies dubbed the new functionality "Trickboot" as it tells malware authors using Emotet how to target the firmware. In a compromised boot process, attackers take over the operating system to "establish ongoing persistence" even with a reinstalled operating system, according to the report.
Researchers found "PermaDII" in the code of the module, which allows attackers to check for administrative privileges. Researchers had to determine if the latest loadable modules and capabilities had a role in "whether a victim system's UEFI firmware could be attacked for purposes of persistence or destruction," according to the report.

Dive Insight:

Trickbot is a favored botnet among some of the most notorious cybercriminals. In October, CISA warned industry to brace for an uptick in Ryuk ransomware attacks, which historically relied on Trickbot for initial access and visibility. The agency advised organizations to implement patch updates for operating systems, software and firmware immediately.

Trickbot already challenged enterprise resiliency, but with Trickboot's added threat to firmware, organizations have to ensure all patching is updated.

"Perhaps the biggest implication of [the Trickboot] discovery has to do with resilience planning for large enterprise, critical infrastructure, operational environments and healthcare," said Scott Scheferman, principal cyber strategist at Eclypsium. Even destruction from another worming malware like NotPetya "wouldn't compare to what a mass-scale destructive incident would look like from a recovery standpoint."

Microsoft and the U.S. Cyber Command began dismantling Trickbot's infrastructure in October, but warned there was no guarantee the botnet would be destroyed. By November, Trickbot adopted at least 100 versions of the malware, including new obfuscation methods.

As Trickbot works to regain the momentum Microsoft and the government disrupted, the module was discovered by the researchers on Oct. 19, just before Microsoft's takedown, said Scheferman.

"This module was likely authored prior," to Microsoft's actions, taking into account the development time required to make it, said Scheferman. "Trickbot toolset authors are constantly releasing new capabilities in the form of these modules," and PermaDll is the latest.

Trickboot hasn't been seen in the wild yet, but bad actors using Trickbot "sit on an arsenal of modules that they use only as needed," said Scheferman.

As Trickbot's attack chain has evolved in recent months, Trickbot has a copy of RwDrv.sys embedded within the malware. RwDrv.sys is from the RWEverything tool and allows attackers to write to firmware on "virtually any device component, including the SPI controller that governs the system UEFI/BIOS," the report said.

At this point, Trickboot is limited to checking the SPI controller, testing if BIOS has write protection enabled. While the malware has yet to modify any firmware, it does have code with the ability to "read, write and erase firmware," according to the report.

"Normally when a device experiences a destructive payload, it can be restored via system re-imaging, hard drive standby replacements," Scheferman said. "If TrickBot actors were to modify just one line of code currently observed in the module, they would be able to brick the device at the firmware level."