The developers of the TrickBot malware have added functions to it that allow it to control the boot process of the operating system and ensure such a persistent presence that neither replacing hard drives nor reinstalling the OS can disrupt it. The new module is essentially a bootkit – a program capable of accessing BIOS / UEFI writing and making changes to the firmware.
The new TrickBot functionality was discovered in the wild at the end of October. The find greatly alarmed the experts: the increased tenacity of a malware capable of infecting several thousand PCs a day is very bad news. In addition, she once again confirmed that the botanists did not lose hope of rebuilding their network after the defeat . The multifunctional malware underlying it continues to improve, expanding its capabilities and set of self-defense tools .
Currently, the new TrickBot module (analysts dubbed it TrickBoot) attacks only machines based on Intel chipsets , and does not try to modify the firmware, but only checks the BIOS write access protection settings.
Since the bootkit functionality allows malicious code to start from the Master Boot Record (MBR) or the boot sector, enabling OS Secure Boot will have no effect. Standard protection tools – such as BitLocker, ELAM (Early-Launch Anti-Malware), Windows 10 VSM (Virtual Secure Mode), Credential Guard, EDR (Endpoint Detection and Response), antiviruses – will not help either, since they start later than the MBR malware. The updated TrickBot will even be able to disable them seamlessly.
Using a bootkit allows a bot not only to bypass protection and firmly establish itself in the system, but also to perform the following actions:
re-infect a machine cleaned using standard system recovery tools;
Rollback important microcode updates like Specter patches, MDS patches, etc.
remotely turn the device into a useless brick at the firmware level;
attack vulnerabilities in the firmware of important Intel components – CSME (Converged Security and Management Engine), AMT (Active Management Technology), BMC (Baseboard Management Controller).
The use cases for TrickBoot are varied. Experts believe that the innovation will allow bots to conduct mass scans in order to detect vulnerabilities in the BIOS, destroy clues valuable to forensic scientists, retain access to hacked networks and lease it to other attackers – for example, distributors of ransomware that can use TrickBoot to punish defaulters by destroying their systems.
It is noteworthy that the bootkit code for TrickBot was not written from scratch, but borrowed from the creators of the popular RWEverything tool – a free Windows utility for viewing PC hardware and system data. Virus writers simply copied the RwDrv.sys driver and designed it as a module installed into the system using the TrickBot loader. Creating a bootkit requires good technical training, and such creations rarely get on analysts’ radars. Of the newest known malware, the bootkit is used by LoJax and MosaicRegressor .
In their report, the researchers also noted that it is not easy to identify system compromise at the BIOS / UEFI level. You can reliably detect the presence of a bootkit by connecting a flash memory programmer with an SPI interface to the device – a ROM that stores information about the firmware. However, only a specialist can read the SPI Flash content correctly; moreover, such an examination can result in a long downtime for the company.
There are also a number of specialized tools and services on the market that allow you to check the write activity of UEFI access protection. Violation of the microcode integrity can be detected by checking the firmware hashes, and regular firmware updates can help ensure that there are no known vulnerabilities.