TrickBot malware operators have added a new capability that can let them interact with an infected computer’s BIOS or UEFI firmware.
Detected inside part of a new TrickBot module, the new capability was first witnessed in the wild at the end of October, according to news reports.
The new module has security researchers apprehensive as its features would allow the TrickBot malware set up more dogged positions on infected systems, positions that could allow the malware to survive OS reinstalls.
Also, AdvIntel and Eclypsium say the new module’s features could be used for more than just better persistence, such as remotely bricking a device at the firmware level via a typical malware remote connection, among others.
Reversing ACM or microcode updates that fixed CPU flaws like Spectre, MDS, etc.
But the good news is that “thus far, the TrickBot module is only checking the SPI controller to check if BIOS write protection is enabled or not, and has not been seen modifying the firmware itself,” according to AdvIntel and Eclypsium.
“However, the malware already contains code to read, write, and erase firmware,” the two companies added.
Researchers say that even if the feature has not been arranged to its full degree just yet.
Suitable cases may include the networks of larger companies where the TrickBot gang may not want to lose access and may want to leave behind a more influential boot-level tenacity mechanism.
If companies who had their networks encrypted refuse to pay, the TrickBot module could be used to destroy their systems, AdvIntel and Eclypsium said.
Or the module could also be used to stop event responders from finding vital scientific evidence by disabling a system’s capacity to boot-up.
“The possibilities are almost limitless,” AdvIntel and Eclypsium said, stressing TrickBot’s many different areas where it also helps its clients function.