TrickBot according to AdvIntel

Recently in a report published by the company AdvIntel, it was observed the movement of a new Module TrickBot, called by researchers "PermaDll32".

This name caught the attention of researchers because it appeared to be a derivative of the term "permanent" because it made it look like a module that could cause persistent effects.

This article will also interest you: UEFI: TrickBot's persistent target

According to the analysis of computer security researchers, this module had the functionality of reading the information present in the BIOS firmware and also in the UEFI program, when it arrived infected with machines. "This low-level code is stored in a computer's motherboard SPI flash memory chip and is responsible for booting the hardware during the start-up process and transmitting control to the operating system. explains Lucian Constantin, CSO.

The discovery was made by researchers from AdvIntel and Eclypsium, which is known to possess a specialization in firmware security. The two companies have teamed up to better analyze the recent TrickBot module and determine what it could be used for. According to this survey: "The PermaDll32 module deploys a driver called RwDrv.sys" from RWEverything, a fairly popular free program with the functionality of allowing its users to read and write in the hardware components' firmware, including the SPI controller present for UEFI.

"The TrickBot module uses this capability to identify the underlying Intel hardware platform, check whether the BIOS control register is unlocked, and whether bioS/UEFI handwriting protection is enabled. For the full start-up chain to be secure, the UEFI firmware must be protected in writing, but OEM computer manufacturers have often left this misconfigured in systems in the past. explains Lucian Constantin. This feature has allowed groups of cyber espionage hackers to deploy stealth malware. "I think there are probably millions of devices that are still vulnerable to this problem in the field," Jesse Michael, principal investigator for Eclypsium, told CSO. "I don't have the number of devices targeted, but it was a very common thing before 2017 and even after 2017, we still see some out-of-factory devices coming with this vulnerability. Leading suppliers are doing what they can to fill that security gap," he adds.

The problem is well known. It is recalled that a similar loophole had been exploited in the past. This has been used by cyber criminals to deploy UEFI implants by hackers of the APT 28 group through the LoJax attack or with MossaicRegressor.u hackers more recently. Yet there remain many UEFI security flaws and several hardware configuration errors that have been constantly reporting for years now. Vulnerabilities that could be exploited by TrickBot later.

"The national security implications resulting from a widespread malware campaign capable of plugging devices are enormous," the researchers warn. "The TrickBoot module targets all Intel systems produced over the past five years. According to Eclypsium analysis, most of these systems remain vulnerable to one of the multitudes of firmware vulnerabilities currently known, with a smaller proportion likely to be susceptible to the problem of poor configuration."

The best way to protect yourself from gender attacks and of course to constantly update the BIOS/ UEFI. As the known vulnerabilities are being fixed. It is important to make updates because these are things that are mostly overlooked. A simple routine but without knowing why is difficult for companies to follow.

"People often focus on operating system updates and neglect firmware updates," says Jesse Michael. "So you may have a firmware update for your system that you can deploy to fix this problem, but because you don't have it, because you don't include firmware updates in your normal IT operations, you take longer to apply them. As a precautionary measure, you must include firmware updates in your normal processes."

It is possible to solve this problem. However, another problem will have to be addressed in the early stages of the lack of visibility of firmware problems when analyzing vulnerabilities.

Now access an unlimited number of passwords: