The UEFI/BIOS Firmware is Vulnerable to the New TrickBot Version

The UEFI/BIOS Firmware is Vulnerable to the New TrickBot Version

Recently, two security firms named Advanced Intelligence and Eclypsium dropped a bombshell in a joint report. They found that the TrickBot malware incorporated a new capability in its arsenal. It did so to interact with the BIOS or UEFI firmware of an infected computer.

The functionality came out as a part of a new TrickBot module, initially caught the attention in October 2020, the report says. The worrisome thing is that the new module has footholds that could condone the TrickBot malware to survive OS reinstalls.

But we have good news here. According to AdvIntel and Eclypsium, TrickBot has not yet engaged in modifying the firmware itself. The new module is only trying to check whether the BIOS write protection is enabled via the SPI controller.


Overcoming cyber threats is not enough nowadays. Digital forensics is the answer to getting to the bottom of the cyber onslaught.


Features of the new module

Apart from the persistence factor, the new module possesses more fear-spreading features.

At the firmware level, it can remotely brick a device using a malware remote connection. It holds the capacity to surpass security controls: Windows-10 Virtual Mode, BitLocker, ELAM, and endpoint protection controls like EDR, A/V, etc.

Additionally, it can target Intel CSME vulnerabilities as a follow-on attack. Microcode updates that help patched CPU flaws like MDS, Spectre, TrickBot now contains an ability to reverse them, too.

Background of TrickBot

TrickBot is a modular Trojan, gained notoriety for its capability to seize administrator privileges. Along the same lines, it proliferates within a network and drops further malware payloads.

It came into the spotlight back in 2016. Initially, it used to focus on stealing financial data. Consequently, it got considered a banking Trojan. During its evolution cycle, attackers swiftly discovered that it was a worthy asset in all kinds of malware campaigns. Coupled with Emotet, TrickBot got notably observed delivering Ryuk ransomware.

Many actors have used TrickBot malware so far, but there is one group, alias Overdose, that used it the most. It has made nearly $150m since 2018.

Timing of the addition of new features

It is noteworthy to focus on the timing of the addition of new features to the TrickBot malware.

After a failed takedown attempt, where Microsoft managed to disrupt TrickBot internet servers using legal means, it seems that TrickBot is making a comeback. This time around, it is giving goosebumps to people.

TrickBot operations have seen a range of updates over the past few weeks. They are ranging from new obfuscation techniques and new command-and-control infrastructure to new spam campaigns.

All of these updates suggest TrickBot is trying to revive itself, one of today’s top 3 successful cybercrime-as-a-service botnet operations. In its peak time, it was managing more than 40,000 infected computers each day.

Survived the takedown attempt, it seems that TrickBot is slowly coming back to life with robust features. TrickBot has shown its resiliency to disruptive actions by security vendors and governments. With this, one can expect substantial infrastructure changes and malware updates to happen in the coming times.

Takeaway lesson

As cyber threat actors seem becoming robust with high-than-expected features inside malware, it is time to raise the bulwark of cybersecurity. Consult cybersecurity advisory to deal with evolving cybersecurity threats.



New TrickBot Version

Takedown attempt

A Joint report by AdvIntel and Eclypsium