The TrickBot group, which has steadily expanded its set of tools and targets despite being among the highest priority targets for law enforcement, researchers, and intelligence agencies, has developed a new module for its malware that can inspect the UEFI or BIOS on compromised machines to see if they contain known vulnerabilities. Exploiting a flaw at that level could give the attackers the ability to overwrite the device’s firmware or install a bootkit that would persist even after reimaging.
The module, known as TrickBoot, represents a powerful new capability for the TrickBot operators and their customers. Researchers at Advanced Intelligence discovered the module in October when they noticed a new component in TrickBot called “PermaDll”. After analyzing the module with researchers from Eclypsium, they found that the new code was specifically designed to examine the lowest level of a device’s firmware to determine whether it contained any vulnerabilities. The module currently does not include the capability to overwrite the firmware or install a malicious implant, but that would be a simple addition, the researchers said.
“During the analysis, we realized that if they just changed one line of code you go from understanding that a specific device’s firmware is vulnerable to being able to brick it,” Scott Scheferman, principal strategist at Eclypsium, said.
“With this, you could kind of land and expand. I can figure out what kind of system I’m on and then call down this module if I need it. Now I have more options as an attacker.”
UEFI is the modern replacement for BIOS and is the code that runs when a device first boots up. It acts as an interface with the operating system and has powerful control over the lowest levels of the device’s operation. This looks to be the first time researchers have discovered a piece of criminal malware with the capability to look for and possibly exploit weaknesses in UEFI. There have been examples of tools deployed by APT groups, intelligence agencies, and commercial spyware makers that have similar capabilities to inspect and potentially exploit UEFI bugs, but those tools are used in targeted attacks. TrickBot is on the other end of the spectrum, as it’s seeded through massive spam campaigns. Having this capability in the hands of a criminal group that operates at the highest levels of proficiency is a serious concern.
“This activity sets the stage for TrickBot operators to perform more active measures such as the installation of firmware implants and backdoors or the destruction (bricking) of a targeted device. It is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets. Similar UEFI-focused threats have gone years before they have been detected. Indeed, this is precisely their value to attackers,” the researchers said in their analysis of the new module.
“This marks a significant step in the evolution of TrickBot. Firmware level threats carry unique strategic importance for attackers. By implanting malicious code in firmware, attackers can ensure their code is the first to run. Bootkits allow an attacker to control how the operating system is booted or even directly modify the OS to gain complete control over a system and subvert higher-layer security controls. UEFI level implants are the deepest, most powerful, and stealthy form of bootkits.”
“I don’t expect there to be any obvious detection mechanism for this for months or years to come.”
The TrickBot group has been operating for at least four years and its namesake malware has evolved consistently and significantly in that time, adding new capabilities and techniques for evading security tools. TrickBot has become closely associated with the Emotet trojan and the Ryuk ransomware and the TrickBot operators often sell access to compromised machines, specifically to high-level attack groups such as the Lazarus group in North Korea. Many TrickBot infections result in Ryuk ransomware incidents and estimates of the TrickBot operators’ profits from their various lines of business run into the hundreds of millions of dollars.
The group’s activities have not gone unnoticed, and TrickBot has been a major focus of the security research community as well as law enforcement agencies for several years. In October, both Microsoft and the U.S. Cyber Command conducted operations designed to disrupt TrickBot’s operations, with limited success. Although Microsoft was able to gain control of some of TrickBot’s command-and-control servers, the operators soon had new ones up and running.
The good news about the discovery of this module is not only that the research community now knows about it and has a chance to analyze it, but also that the authors have not yet activated the portion that could be destructive to infected devices. Vitali Kremez, CEO of Advanced Intelligence, said the TrickBoot module has only been deployed so far on high-value targets, but that could easily change once it finds its way into the hands of the group’s customers.
“It’s not and engineering exercise. The exploit is actually pretty trivial once they discover the system is vulnerable. We expect they’ve already done it in many cases but we just haven’t seen it yet,” Kremez said.
And although the TrickBot group has been under an intense spotlight for years, the operators don’t seem to care very much.
“We expect TrickBot to be like a tank, slowly, steadily moving. Once they’re in, they’re in. They largely remain unconcerned with the attention they’ve received,” Kremez said.
“I don’t expect there to be any obvious detection mechanism for this for months or years to come.”