Security News > 2020 > December > TrickBot Malware Gets UEFI/BIOS Bootkit Feature to Remain Undetected
TrickBot, one of the most notorious and adaptable malware botnets in the world, is expanding its toolset to set its sights on firmware vulnerabilities to potentially deploy bootkits and take complete control of an infected system.
The new functionality, dubbed "TrickBoot" by Advanced Intelligence and Eclypsium, makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to inject malicious code in the UEFI/BIOS firmware of a device, granting the attackers an effective mechanism of persistent malware storage.
UEFI is a firmware interface and a replacement for BIOS that improves security, ensuring that no malware has tampered with the boot process.
The newest addition to their arsenal suggests that TrickBot can not only be used to target systems en masse with ransomware and UEFI attacks but also provide criminal actors even more leverage during ransom negotiation by leaving a covert UEFI bootkit on the system for later use.
TrickBot's reconnaissance component, observed for the first time in October 2020 right after the take-down attempts orchestrated by the US Cyber Command and Microsoft, targets Intel-based systems from Skylake through Comet Lake chipsets to probe for vulnerabilities in the UEFI firmware of the infected machines.