Security News > 2020 > December > TrickBot's new module aims to infect your UEFI firmware
TrickBot malware developers have created a new module that probes for UEFI vulnerabilities, demonstrating the actor's effort to take attacks at a level that would give them ultimate control over infected machines.
TrickBoot acts as a reconnaissance tool at this stage, checking for vulnerabilities in the UEFI firmware of the infected machine.
"All requests to the UEFI firmware stored in the SPI flash chip go through the SPI controller, which is part of the Platform Controller Hub on Intel platforms. This SPI controller includes access control mechanisms, which can be locked during the boot process in order to prevent unauthorized modification of the UEFI firmware stored in the SPI flash memory chip" - joint report.
Apart from using UEFI implants as leverage in negotiations to drive up the ransom price, the cybercriminals could maintain access to the machines even after the victim pays them to release systems from TrickBot control.
Jesse Michael, principal researcher at Eclypsium told BleepingComputer that determining if a system has been compromised at UEFI firmware level is a tough job.