In the past two months, the cybercriminal-controlled botnet known as TrickBot has become, by some measures, the number one public enemy of the cybersecurity community. It has survived takedown attempts by Microsoft, a supergroup of security and even the Cyber Command of EE.UU. Now it appears that the hackers behind TrickBot are testing a new technique to infect the deepest recesses of infected machines, reaching beyond their operating systems and into their firmware.
Security firms AdvIntel and Eclypsium today revealed that they have detected a new component of the Trojan that hackers TrickBot use to infect machines. The previously undiscovered module checks victims' computers for vulnerabilities that allow hackers to put a backdoor in deep-seated code known as the Unified Extensible Firmware Interface, which is responsible for loading a device's operating system when it starts. Because the UEFI resides on a chip on the computer's motherboard outside of your hard drive, placing malicious code there would allow TrickBot to evade most antivirus detections, software updates, or even a total clean-up and reinstall. of the computer's operating system. Alternatively, it could be used to "lock down" target computers, corrupting their firmware to the point where the motherboard would have to be replaced.
The use of that technique by TrickBot operators, which the researchers call "TrickBoot," makes the group of hackers just one of the few, and the first non-state sponsored, to have experimented in nature with UEFI-targeted malware, says Vitali Kremez, AdvIntel's cybersecurity researcher and CEO of the company. But TrickBoot also represents an insidious new tool in the hands of a brazen group of criminals, one that has already used its position within organizations to plant ransomware and teamed up with North Korean hackers focused on theft. "The group is looking for novel ways to achieve very advanced persistence in systems, to survive software updates and get into the core of firmware," says Kremez. If they can successfully penetrate the firmware of a victim machine, Kremez adds, "the possibilities are endless, from destruction to taking over the basically entire system."
The hackers behind TrickBot, generally believed to be based in Russia, have earned a reputation as some of the most dangerous cybercriminal hackers on the internet. Its botnet, which at its peak has included more than a million enslaved machines, has been used to plant ransomware like Ryuk and Conti within the networks of countless victims, including hospitals and medical research facilities. The botnet was deemed threatening enough that two separate operations attempted to disrupt it in October: One, carried out by a group of companies including Microsoft, ESET, Symantec, and Lumen Technologies, sought to use court orders to cut connections from TrickBot with US-based command and control servers Another concurrent US Cyber Command operation essentially hacked into the botnet, sending new configuration files to its compromised computers designed to isolate them from TrickBot operators. It is unclear to what extent hackers have rebuilt TrickBot, although they have added at least 30.000 victims to their collection since then by compromising new computers or buying access from other hackers, according to security firm Hold Security.
AdvIntel's Kremez found TrickBot's new firmware-centric feature, whose modular design allows it to download new components on the fly to victim computers, in a sample of the malware in late October, right after the two attempted removal operations. . He believes that it may be part of an attempt by TrickBot operators to gain ground that can survive on target machines despite the growing notoriety of their malware in the security industry. "As everyone is watching, they have lost a lot of bots," says Kremez. "So their malware needs to be stealthy and that's why we think they targeted this module."
After determining that the new code was targeting firmware tampering, Kremez shared the module with Eclypsium, which specializes in firmware and microarchitecture security. Eclypsium analysts determined that the new component Kremez found does not actually alter the victim PC's firmware, but instead looks for a common vulnerability in Intel's UEFIs. PC manufacturers that implement Intel's UEFI firmware often do not set certain bits in that code designed to prevent tampering. Eclypsium estimates that the configuration problem persists in tens of millions or even possibly hundreds of millions of PCs. "They're able to search and identify, okay, this is a target that we're going to be able to make this more invasive or more persistent firmware-based attack," says Eclypsium principal investigator Jesse Michaels. "That seems valuable for this kind of generalized campaign where your specific targets can be ransomware, brick systems, being able to persist in environments."
Eclypsium and AdvIntel argue that TrickBot has probably already tampered with the firmware of some victims, despite not having observed it directly. "It would literally be a one-byte or one-line change to, say, erase the flash or write to the flash instead of just reading the flash," says Michaels, referring to the SPI flash chip that stores a computer's data. UEFI.
For potential TrickBot victims, combating its firmware hacking technique will require fresh attention to vulnerable computer components that are often overlooked. Eclypsium and AdvIntel recommend that companies check their PC firmware to determine if it is vulnerable, update their firmware when vendors make new code available, and perhaps most importantly, check their PC firmware for tampering as part of your response to any detected TrickBot infection.
Firmware hacking has appeared in the wild before, used by state-sponsored hackers from the CIA to Russia's Fancy Bear team and a possible Chinese group that repurposed a firmware spy tool created by the hacking company to Hacking Team salary. But Eclypsium and AdvIntel argue that the emergence of TrickBoot means that firmware hacking is shifting from state-sponsored and targeted attacks to far less discriminatory and profit-focused criminal hacking. And that means a vast new pool of potential victims must start to keep an eye on their PC firmware.
“As a business, you have all of these things in your environment,” says Eclypsium cybersecurity researcher Scott Scheferman, “and the likelihood that you will contract a TrickBot infection over the next three months is very high. So it's time to really start. pay attention."