The TrickBot malware family has sustained its status as a worthy adversary in the world of cybersecurity since 2016. Even after a recent campaign aimed at taking down a significant chunk of TrickBot’s infrastructure by US Cyber Command in collaboration with a few major technology companies, TrickBot continues to power through making it a constant uphill battle for cybersecurity defenders and researchers.
Very recently, we’ve learned that TrickBot has unleashed yet another module in its growing arsenal specifically targeting firmware vulnerabilities — aptly named TrickBoot.
What is TrickBoot?
TrickBoot is new functionality within the TrickBot malware toolset capable of discovering vulnerabilities in firmware and enabling attackers to then read, write or even erase the firmware on the device.
Why is this significant?
Once malware is detected on a host, best practices recommend you to wipe the machine and restore from backup. Firmware persistence allows malicious actors to regain access even after the system is formatted.
This marks a significant step in the evolution of TrickBot. Firmware level threats carry unique strategic importance for attackers. By implanting malicious code in firmware, attackers can ensure their code is the first to run. Bootkits allow an attacker to control how the operating system is booted or even directly modify the OS to gain complete control over a system and subvert higher-layer security controls.
In addition, the ability to modify firmware gives attackers another piece of leverage: the threat of bricking a device — holding not only the data but also the physical asset for ransom.
Are my hosts infected with TrickBoot?
Huntress ThreatOps analysts collaborated with the Advanced Intelligence team and received early warning of this emerging threat. With this intel, we validated that no systems running Huntress were affected by the referenced tradecraft or indicators of compromise at the time of this blog. Additionally, we are performing a retrospective hunt against our archived data, dating back to the beginning of October 2020, to confirm whether any TrickBoot incidents were observed.
For non-Huntress partners, we recommend you keep your eyes peeled for randomly named scheduled tasks and services similar to “AdvancedLocTechnic” or “SystemTechGatService”. The presence of the RWEverything driver “RwDrv.sys” may also be an indicator of compromise. On systems prior to Windows 10, TrickBot stores its .DLL modules and configuration files within a random subdirectory in %APPDATA%. This provides an additional opportunity to find the statically named modules — like “injectDll32” or “injectDll64” — before the situation escalates.
How does it work and what can I do to mitigate?
Here’s what it looks like from an attack chain perspective:
Initial Access: TrickBot infections typically start with malicious emails containing the Emotet malware “dropper”. Investing in Email Security and User Awareness Training will help prevent this threat vector.
Persistence and Lateral Movement: After gaining access, TrickBot often creates a Scheduled Task to establish a foothold and then proceeds to escalate privileges and spread laterally. Using Huntress and minimizing administrative permissions and are worthwhile investments.
Post Exploitation: Additional malicious modules are downloaded once access is established. This is where the TrickBoot payload will be loaded to check for firmware vulnerabilities or write capabilities. Filtering tools may block access to known downloader C2 locations; in addition, good patching hygiene should extend to 3rd party software, firmware and UEFI/BIOS.
Persistence for Your Persistence: If write capabilities are available, TrickBoot now has an opportunity to implant UEFI/BIOS persistence, adding the ability to reinfect the device even after an OS wipe. Check out the links below for ongoing research about UEFI or firmware hacking.
Action: Once the stones are laid, the attacker’s objective ($$) is within arm’s reach. In most cases, we’re dealing with a ransomware attack — sometimes accompanied by data exfiltration and now the threat of bricking the machine. If attackers get through previous layers of defense, having earlier detection through Ransomware Canaries will allow you to respond faster and mitigate the spread of infection.
What is Huntress doing?
Over the past several years, Huntress has discovered and remediated over 14,000 TrickBot infections. This experience formed the foundation of our advanced detection capabilities and detailed remediation guidance. Between our existing Persistent Footholds service and our Managed Antivirus beta, partners have solid protection and early detection in place. To improve that security posture against TrickBoot, we’ve also created a new detector that hunts for the misuse of the legitimate RWEverything driver (rwdrv.sys)—and we’ll continue to monitor this situation.
Looking to Learn More about UEFI or Firmware Hacking?
Despite the new attention to firmware persistence, this threat vector has been documented and abused for nearly 15 years. As a result, there’s tons of historical research and presentations for those looking to learn more. Here’s a few of our favorite resources:
- 2006 — Implementing and Detecting an ACPI BIOS Rootkit
- 2009 — Persistent BIOS Infections
- 2012 — UEFI technology: say hello to the Windows 8 bootkit!
- 2015 — Summary of Attacks Against BIOS and Secure Boot
- 2017 — Have You Scanned Your BIOS Recently?
- 2017 — The UEFI Firmware Rootkits: Myths and Reality
- 2018 — Advancing the State of UEFI Bootkits
Fact: Malware will continue to adapt and resist our defenses, we see this everyday.
Also fact: As hackers keep hacking, Huntress will keep hunting.
Thank you to Kyle Hanslovan and John Ferrell for contributing to this article.
Want to keep the conversation going about new attacker tradecraft techniques? Join us monthly for Tradecraft Tuesday.