According to security researchers at Advanced Intelligence (AdvIntel) and Eclypsium, TrickBot's new functionality allows it to inspect the UEFI/BIOS firmware of targeted systems and check for known vulnerabilities that could allow the attackers to read, write, or erase the UEFI/BIOS firmware of a device.
This new capabilities sets the stage for TrickBot operators to perform even more active exploits such as the installation of firmware implants and backdoors or bricking of any targeted device.
Typical TrickBot Killchain exploit Explained
TrickBot's most common attack chain often begins with EMOTET malspam campaigns, which loads TrickBot and other loaders, and then moves to attack tools like Cobalt Strike and PowerShell Empire to accomplish their objectives, which relative to the victim or organization under attack.
The bad actors also uses LightBot, which is a set of PowerShell scripts that perform reconnaissance on victim hardware and software, in order to hand-pick high-value targets.
And it's clear that such actors would greatly benefit from the addition of UEFI level bootkit in their kill chain, and would survive system re-imagining efforts during the recovery phase of such as a Ryuk or Conti event, and further their ability to semi-permanently brick a device.
This will afford criminal actors more leverage during ransom negotiation, as often, at the end of the kill-chain, either Conti or Ryuk ransomware is deployed.
How to Mitigate against such threats as presented by TrickBot
Given the scope of TrickBot and armed with the new capabilities, TrickBoot is only one line of code away from bricking any device it finds to be vulnerable, and attack of this kind can have severe consequences.
Therefore, it's recommended that organisations should keep their firmware up-to-date, with BIOS write protections are enabled, and firmware integrity must be verified to safeguard against unauthorized modifications.
No comments