In just the last two months, the cybercriminal-controlled botnet known as TrickBot has become, by some measures, public enemy number one for the cybersecurity community. It's survived takedown attempts by Microsoft, a supergroup of security firms, and even US Cyber Command. Now it appears the hackers behind TrickBot are trying a new technique to infect the deepest recesses of infected machines, reaching beyond their operating systems and into their firmware.
Security firms AdvIntel and Eclypsium today revealed that they've spotted a new component of the trojan that TrickBot hackers use to infect machines. The previously undiscovered module checks victim computers for vulnerabilities that would allow the hackers to plant a backdoor in deep-seated code known as the Unified Extensible Firmware Interface, which is responsible for loading a device's operating system when it boots up. Because the UEFI sits on a chip on the computer’s motherboard outside of its hard drive, planting malicious code there would allow TrickBot to evade most antivirus detection, software updates, or even a total wipe and reinstallation of the computer's operating system. It could alternatively be used to "brick" target computers, corrupting their firmware to the degree that the motherboard would need to be replaced.
The TrickBot operators' use of that technique, which the researchers are calling "TrickBoot," makes the hacker group just one of a handful—and the first that's not state-sponsored—to have experimented in the wild with UEFI-targeted malware, says Vitali Kremez, a cybersecurity researcher for AdvIntel and the company's CEO. But TrickBoot also represents an insidious new tool in the hands of a brazen group of criminals—one that's already used its foothold inside organizations to plant ransomware and partnered with theft-focused North Korean hackers. "The group is looking for novel ways to get very advanced persistence on systems, to survive any software updates and get inside the core of the firmware," says Kremez. If they can successfully penetrate a victim machine's firmware, Kremez adds, "the possibilities are endless, from destruction to basically complete system takeover."
While TrickBoot checks for a vulnerable UEFI, the researchers have not yet observed the actual code that would compromise it. Kremez believes hackers are likely downloading a firmware-hacking payload only to certain vulnerable computers once they're identified. "We think they've been handpicking high-value targets of interest," he says.
The hackers behind TrickBot, generally believed to be Russia-based, have gained a reputation as some of the most dangerous cybercriminal hackers on the internet. Their botnet, which at its peak has included more than a million enslaved machines, has been used to plant ransomware like Ryuk and Conti inside the networks of countless victims, including hospitals and medical research facilities. The botnet was considered menacing enough that two distinct operations attempted to disrupt it in October: One, carried out by a group of companies including Microsoft, ESET, Symantec, and Lumen Technologies, sought to use court orders to cut TrickBot's connections to the US-based command-and-control servers. Another simultaneous operation by US Cyber Command essentially hacked the botnet, sending new configuration files to its compromised computers designed to cut them off from the TrickBot operators. It's not clear to what degree the hackers have rebuilt TrickBot, though they have added at least 30,000 victims to their collection since then by compromising new computers or buying access from other hackers, according to security firm Hold Security.
AdvIntel's Kremez came upon the new firmware-focused feature of TrickBot—whose modular design allows it to download new components on the fly to victim computers—in a sample of the malware in late October, just after the two attempted takedown operations. He believes it may be part of an attempt by TrickBot's operators to gain a foothold that can survive on target machines despite their malware's growing notoriety throughout the security industry. "Because the whole world is watching, they've lost a lot of bots," says Kremez. "So their malware needs to be stealthy, and that's why we believe they focused on this module."
After determining that the new code was aimed at firmware meddling, Kremez shared the module with Eclypsium, which specializes in firmware and microarchitecture security. Eclypsium's analysts determined that the new component Kremez found doesn't actually alter a victim PC's firmware itself, but instead checks for a common vulnerability in Intel UEFIs. PC manufacturers who implement Intel's UEFI firmware often don't set certain bits in that code designed to prevent it from being tampered with. Eclypsium estimates that configuration problem persists in tens of millions or even possibly hundreds of millions of PCs. "They're able to look and identify, OK, this is a target that we're going to be able to do this more invasive or more persistent firmware-based attack," says Eclypsium principal researcher Jesse Michaels. "That seems valuable for this type of widespread campaign where their specific goals may be ransomware, bricking systems, being able to persist in environments."
Eclypsium and AdvIntel argue that TrickBot has likely altered some victims' firmware already, despite not having observed it directly. "It would literally be a one-byte or a one-line change in order to, say, erase the flash or write to the flash instead of just reading the flash," Michaels says, referring to the SPI flash chip that stores a computer's UEFI.
For potential TrickBot victims, combating its firmware-hacking technique will require new attention to vulnerable computer components that are often ignored. Eclypsium and AdvIntel advise that companies check their PCs' firmware to determine if it's vulnerable, update their firmware when vendors make new code available, and perhaps most importantly, check their PCs' firmware for tampering as part of their response to any detected TrickBot infections.
Firmware hacking has appeared in the wild before, used by state-sponsored hackers from the CIA to Russia's Fancy Bear team to a likely Chinese group that repurposed a firmware spy tool created by the hacker-for-hire firm Hacking Team. But Eclypsium and AdvIntel argue that the appearance of TrickBoot means that firmware hacking is moving from targeted, state-sponsored attacks to far less discriminate, profit-focused criminal hacking. And that means a vast new set of potential victims need to start being vigilant about their PCs' firmware.
"You do have all of these things in your environment as an enterprise," says Eclypsium cybersecurity researcher Scott Scheferman, "and the likelihood of you getting a TrickBot infection over the next three months is very high. So it's time to really, actually start to pay attention."