The cybercriminal-controlled botnet known as TrickBot has become a public enemy number one (again) for the cybersecurity community. It has survived takedown attempts by Microsoft, analysts from leading cybersecurity firms, and even US Cyber Command. It now appears that the hackers behind TrickBot are trying a new technique to infect the deepest recesses of infected machines, reaching beyond their operating systems and into their firmware.
The security firms AdvIntel and Eclypsium revealed that they have identified a new component of the trojan that TrickBot hackers use to infect machines. The previously undiscovered module checks victim computers for vulnerabilities that would allow the hackers to plant a backdoor in deep-seated code known as the Unified Extensible Firmware Interface (UEFI). It is a specification that defines a software interface between an operating system and platform firmware. UEFI replaces the legacy Basic Input/Output System (BIOS) firmware interface originally present in all IBM PC-compatible personal computers, with most UEFI firmware implementations providing support for legacy BIOS services. It is responsible for loading a device's operating system when it boots up. Because the UEFI sits on a chip on the computer’s motherboard outside of its hard drive, planting malicious code there would allow TrickBot to evade most antivirus detection, software updates, or even a total wipe and reinstallation of the computer's operating system. It could alternatively be used to "brick" target computers, corrupting their firmware to the degree that the motherboard would need to be replaced.
The TrickBot operators' use of that technique, which the researchers are calling "TrickBoot," makes the hacker group just one of a handful and the first that is not state-sponsored to have experimented in the wild with UEFI-targeted malware, says a cybersecurity researcher for AdvIntel. But TrickBoot also represents an insidious new tool in the hands of a brazen group of criminals one that is already used its foothold inside organizations to plant ransomware and partnered with theft-focused North Korean hackers. "The group is looking for novel ways to get very advanced persistence on systems, to survive any software updates and get inside the core of the firmware," says AdvIntel. If they can successfully penetrate a victim machine's firmware, AdvIntel adds, "the possibilities are endless, from destruction to basically complete system takeover.
While TrickBoot checks for a vulnerable UEFI, the researchers have not yet observed the actual code that would compromise it. AdvIntel believes hackers are likely downloading a firmware-hacking payload only to certain vulnerable computers once they're identified. "We think they've been handpicking high-value targets of interest."
The hackers behind TrickBot are believed to be Russian or Eastern European. Researchers believe that the cybercriminal known as “Grim Spider” is behind Ryuk and that the cybercriminal is part of a larger group who are behind TrickBot. These threat actors have gained a reputation as some of the most dangerous cybercriminal hackers on the internet. Their botnet, which at its peak has included more than a million enslaved machines, has been used to plant ransomware like Ryuk and Conti inside the networks of countless victims, including hospitals and medical research facilities. The botnet was considered menacing enough that two distinct operations attempted to disrupt it in October: One was carried out by a group of companies including Microsoft, ESET, Symantec, and Lumen Technologies, which sought to use court orders to cut TrickBot's connections to the US-based command-and-control servers.
Another simultaneous operation by US Cyber Command essentially hacked the botnet, sending new configuration files to its compromised computers designed to cut them off from the TrickBot operators. It is not clear to what degree the hackers have rebuilt TrickBot, though they have added at least 30,000 victims to their collection since then by compromising new computers or buying access from other hackers, according to security firm Hold Security.
AdvIntel's came upon the new firmware-focused feature of TrickBot whose modular design allows it to download new components on the fly to victim computers in a sample of the malware in late October 2020, immediately after the two attempted takedown operations. He believes it may be part of an attempt by TrickBot's operators to gain a foothold that can survive on target machines despite their malware's growing notoriety throughout the security industry. "Because the whole world is watching, they have lost a lot of bots," says AdvIntel. "So their malware needs to be stealthy, and that's why we believe they focused on this module."
After determining that the new code was aimed at firmware meddling, AdvIntel shared the module with Eclypsium, which specializes in firmware and microarchitecture security. Eclypsium's analysts determined that the new component AdvIntel found does not actually alter a victim's PC's firmware itself, but instead checks for a common vulnerability in Intel UEFIs. PC manufacturers who implement Intel's UEFI firmware often do not set certain bits in that code designed to prevent it from being tampered with. Eclypsium estimates that the configuration problem persists in tens of millions or even possibly hundreds of millions of PCs. "They're able to look and identify, OK, this is a target that we are going to be able to do this more invasive or more persistent firmware-based attack," says Eclypsium principal researcher. "That seems valuable for this type of widespread campaign where their specific goals may be ransomware, bricking systems, being able to persist in environments."
Both firms, Eclypsium and AdvIntel argue that TrickBot has likely altered some victims' firmware already, despite not having observed it directly. "It would literally be a one-byte or a one-line change in order to, say, erase the flash or write to the flash instead of just reading the flash," analysts say, referring to the SPI flash chip that stores a computer's UEFI.
For potential TrickBot victims, combating its firmware-hacking technique will require new attention to vulnerable computer components that are often ignored. Eclypsium and AdvIntel advise that companies check their PCs' firmware to determine if it is vulnerable, update their firmware when vendors make new code available, and perhaps most importantly, check their PCs' firmware for tampering as part of their response to any detected TrickBot infections.
Firmware hacking has appeared in the wild before, used by state-sponsored hackers from the CIA to Russia's Fancy Bear team to a likely Chinese group that repurposed a firmware spy tool created by the hacker-for-hire firm Hacking Team. But Eclypsium and AdvIntel explain that the appearance of TrickBoot means that firmware hacking is moving from targeted, state-sponsored attacks to far less discriminate, profit-focused criminal hacking. And that means a vast new set of potential victims need to start being vigilant about their PCs' firmware.
"You do have all of these things in your environment as an enterprise," says an Eclypsium cybersecurity researcher, "and the likelihood of you getting a TrickBot infection over the next three months is very high. So, it is time to really, actually start to pay attention."
Red Sky Alliance has been tracking cybercriminals for years. Throughout our research, we have painfully learned through our clients that the installation, updating, and monitoring of firewalls, cybersecurity, and proper employee training are keys to success, yet woefully not enough. Our current tools provide a valuable look into the underground, where malware like all the different variants of malware are bought and sold, and help support current protections with proactive underground indicators of compromise. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis for your organization.
Red Sky Alliance has been analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often is dusted off and reappears in current campaigns.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941