TrickBot malware has evolved to implement a functionality that allows it to inspect the UEFI/BIOS firmware of a victim's system. Unified Extensible Firmware Interfaces (UEFIs) govern the operation of low-level platform firmware, which includes the loading of the operating system. BIOS is a firmware used to perform hardware initialization during the booting process. In collaborative research from AdvIntel and Eclypsium, the new functionality of TrickBot, nicknamed "TrickBoot," scans devices for known vulnerabilities that allow attackers to read, write or erase the UEFI/BIOS firmware of a system.

By embedding malicious code in the booting mechanism, the attacker ensures that the malicious code runs before any other functions. This functionality allows cybercriminals to control how the operating system is booted or to modify the operating system to garner complete control over the system. This can allow them to infect systems with backdoors, implant firmware or totally destroy a device. Currently, only a scanning activity has been detected in the evolution of the TrickBot, but primitive code for reading, writing and erasing firmware has also been found in the module, which indicates the possibility of future activity.

To learn more about TrickBots, how to protect yourself from them, and what to do if you've been subjected to them, click here.

Leave IT security to the professionals.

Join us and make your company a more secure place.