UEFI: TrickBot's persistent target
Recently computer security researchers AdvIntel made an amazing discovery.
A TrickBot module allowing malware to persist and continue to act even though the targeted system has been reformated or replaced. A feature that is not going to make it easy for information system security managers.
This article will also interest you: Trickbot: Microsoft and the U.S. authorities against the world's largest zombie network
Technically, It should be noted that TrickBot uses a platform that has the ability to identify hardware modules running on Intel but in an underlying way. It then allows you to check the BIOS control register to make sure it is unlocked or without any protection.
A rather disturbing development of the TrickBot program, which was already giving professionals a hard time. As a reminder, it should be noted that TrickBot is a Botnet, that is, a network of computers fraudulently connected to generate computing power, usually used by hackers to gateway companies to corporate networks to inject ransomware or other malware to subject them to their control. Thanks to the new modules identified by security researchers, the Botnet can now search for the UEFI configuration that has security flaws on systems they have previously infected. This then allows the cyber attackers to deploy backdoors, so low level, that it is difficult for researchers to remove them.
As accurate as it means that UEFI for "Unified Extensible Firmware Interface" is a tool that ensures that on a computer system no malware of the rootkit kind (used by hackers to modify operating systems for the purpose of hiding malware, transferring data or backdoors) is installed. It should be remembered that Kaspersky announced that he had discovered a rootkit called MoazaicRegressor, which mainly attacks UEFI discs.
"This marks an important milestone in the evolution of TrickBot," said researchers from computer security companies Advanced Intelligence (AdvIntel) and Eclypsium in their recent report released today. "UEFI-level implants are the deepest, most powerful and most stealthy form of bootkits. Because the firmware is stored on the motherboard as opposed to system drives, these threats can provide attackers with continuous persistence, even if the disk is replaced. Similarly, if the firmware is used to brick a device, the recovery scenarios are markedly different and more difficult than recovering from traditional file system encryption than a ransomware campaign like Ryuk, for example." They note.
Going back to TrickBot, it was basically a Trojan horse-type malicious program. He was generally in the area of online banking fraud and the theft of login credentials such as passwords and usernames.
Today, it presents itself as a vast cybercrime platform that extends to multiple features and capabilities that takes into account RDP analytics, remote access going through the VNC plus, exploits through SMB vulnerabilities.
Several operators have been observed behind the use of TrickBot. Among many others is the famous cybersecurity group called Overdose or The Trick. It uses the malware to gain access to corporate networks, and then provides other groups of cyber criminals with access, especially the operators behind the Ryuk ransomware. The Lazarus group, known as a hacker group working on behalf of the Korean state, is also said to have used TrickBot to develop backdoors.
According to computer security researchers, TrickBot operators most often offer their service to the APT category group or to higher-class hacker groups.
Last October, Redmond Microsoft and several other organizations came together to deal a major blow to the TrickBot malware control and control infrastructure. Although the operation was a success, the Botnet is still alive. In November, several cybercrime companions in the summer initiated on the basis of the latter.
Now access an unlimited number of passwords: