If malware can gain control of your device’s firmware, then say goodbye to your device. Manufacturers put firmware on their computers and other devices so that they work properly upon startup. This is why many manufacturers won’t let you access the firmware. Messing with the firmware could destroy their product. Yes, firmware upgrades do occasionally come along, but only to those devices that allow for upgrades. Even then, bad upgrades can brick your device. So, when cybersecurity firm, Eclypsium found that the infamous Trickbot Trojan has developed capabilities to access a device’s firmware, alarms should have sounded. Yeah, of course they haven’t, but they should have.
So why is this such a problem? To answer this question, it’s necessary to see what happens when you boot up your computer. Here’s a simple diagram to help explain this.
Although older computers still use BIOS, newer machines use something called UEFI or Unified Extensible Firmware Interface. They both do more or less the same things and are both susceptible to the new Trickbot variant that has been named, ‘Trickboot’.
The BIOS, or UEFI, are programs on a chip in the motherboard. When the power is turned on, these programs look for how the operating system (OS) will boot in. The default choice is usually via the hard drive. That’s where something called the Master Boot Record (MBR) is stored. It is the first thing accessed by the BIOS. Why is this important? Because if Trickboot can access the UEFI or BIOS and install some malicious code there, it can intercede in the boot process. And, since the BIOS is not accessible from the hard drive, any malware lurking there will probably stay there forever. As you can see from the diagram, you can take out the hard drive and put in a new one, but the malware will still be there on your computer. Only some sort of firmware update or chip replacement would seem to work, but even that would not be guaranteed. Trickboot may access the new chip as well.
Trickbot began its nefarious career as a banking Trojan. It has evolved over time into modular malware, which simply means it has bundled together a lot of hacking tools which it can use on networks and devices that it has preliminarily scanned for vulnerabilities. It is designed to bypass spam filters and sends phishing emails that appear to be legitimate.
Concerted efforts by governments and private cybersecutity firms to take down Trickbot have mainly failed. Besides some temporary interruptions in its activities, Trickbot has always been able to rebuild its network. With the addition of the Trickboot variant, such coordinated attacks on Trickbot need to be ramped up, and ramped up soon.
No one knows whether this new variant has already been employed. Malware located so deeply within a computer would be difficult to find as normal antivirus software does not scan firmware. Trickboot could be discretely injecting itself into numerous computers and, once in control of the operating system, could move freely through any network the computer was connected to. Its main vulnerability would be in its connecting to C2 servers. Yes, some of its actions within the operating system could be detected, but they could not be stopped completely. Every time the computer was rebooted the same malware would be put back into place.
Such a presence would have some serious consequences. Imagine that instead of encrypting a victim’s files on the hard disk, ransomware had control of the firmware. They could effectively threaten to destroy the device unless a ransom was paid. They could, in fact, demonstrate this to the victim. In this scenario, a company or organization could not only lose all of its data, it could physically lose its network.
This is not the first time that firmware-attacking malware has appeared. Leaked information from the Vault 7 files showed that the CIA had something akin to a UEFI malware for Apple back in 2017. In 2018, malware that tweaked available tools managed to rewrite UEFI software. Then, in October of 2020, Kaspersky reported on a UEFI-compromising malware that could send documents to the malware’s control center. This malware appeared to come from China and, as such, was likely supported by the Chinese government. Unlike Trickboot, the researchers believed that this malware could only be put in place by people having physical access to a device, for example, by using an infected USB.
The reason that Trickboot is so concerning is that Trickbot controls such a vast network and does so with a sophistication that surpasses most similar malware bundles. It is considered to be a product of adept Russian hackers who will rent the malware to whomever has the money. They have been known to work with North Korea and no doubt have connections to the Russian government. My guess is that the Russian government allows them to do its financial hacking unimpeded in exchange for their being able to use it for more politically oriented attacks. If nothing you’ve read in this post disturbs you, just imagine a firmware compromising malware in the hands of the Russian, Iranian, or North Korean governments. Maybe it has already been used.
Firmware scanners are beginning to come on the market. Microsoft has added such a scanner to its Windows 10 Defender antivirus. This seems like a good idea, but I would guess it will only be a matter of time before hackers learn to disable such scanning or use the scanning tool itself to penetrate to the firmware. That’s simply the cat-and-mouse history of cybersecurity.