Researchers from Advanced Intelligence and Eclypsium recently reported a dangerous new feature of Trickbot, the prolific malware threat that is spread through malicious spam campaigns and often targets corporate environments to deliver ransomware and other threats. The researchers detected code added to new Trickbot samples that is designed to search for known firmware vulnerabilities that would allow the malware to overwrite the UEFI/BIOS firmware and implant itself in the motherboard of the computer. This would allow the Trickbot malware to persist even if the operating system is reinstalled or the computer’s hard disks were all replaced.
Trickbot also drops and installs a tool called “RWEverything” which allows Trickbot to actually write to the firmware of virtually any device component. This is a free tool and not the first time Trickbot has used a readily available tool instead of creating their own custom functionality.