Researchers from Advanced Intelligence and Eclypsium recently reported a dangerous new feature of Trickbot, the prolific malware threat that is spread through malicious spam campaigns and often targets corporate environments to deliver ransomware and other threats. The researchers detected code added to new Trickbot samples that is designed to search for known firmware vulnerabilities that would allow the malware to overwrite the UEFI/BIOS firmware and implant itself in the motherboard of the computer. This would allow the Trickbot malware to persist even if the operating system is reinstalled or the computer’s hard disks were all replaced.
Trickbot also drops and installs a tool called “RWEverything” which allows Trickbot to actually write to the firmware of virtually any device component. This is a free tool and not the first time Trickbot has used a readily available tool instead of creating their own custom functionality.
Many enterprise IT teams do not monitor the BIOS versions installed on corporate systems, but it is important to stay aware of any announced vulnerabilities in the firmware as well as the software that is deployed across their enterprise, and apply updates to close security vulnerabilities in firmware when they are announced. If malware takes advantage of an unpatched vulnerability in firmware, it can make the malware very difficult to detect or remediate. It’s important to monitor network traffic as well as endpoint systems, because even if firmware is infected with malware that hides itself from the OS and EDR systems, its network traffic must still be sent to communicate with the attacker’s Command and Control (C2) servers.
Read more here: https://securityboulevard.com/2020/12/trickbot-now-offers-trickboot-persist-brick-profit/
The AdvIntel report can be found here: https://www.advanced-intel.com/post/persist-brick-profit-trickbot-offers-new-trickboot-uefi-focused-functionality