Security Experts:

Connect with us

Hi, what are you looking for?



TrickBot Malware Can Scan Systems for Firmware Vulnerabilities

TrickBot has been updated with functionality that allows it to scan the UEFI/BIOS firmware of the targeted system for vulnerabilities, security researchers have discovered.

TrickBot has been updated with functionality that allows it to scan the UEFI/BIOS firmware of the targeted system for vulnerabilities, security researchers have discovered.

Around since 2016, the malware recently survived a takedown attempt that resulted in most of its command and control (C&C) domains becoming unresponsive. Since then, however, it received several updates that allow it not only to continue operation, but also to better survive similar attempts.

Identified by the security researchers at Advanced Intelligence (AdvIntel) and Eclypsium, the most recent of the newly added functionalities leverages readily available tools to identify vulnerabilities allowing attackers to modify the UEFI/BIOS firmware.

By exploiting such bugs, TrickBot operators could start using firmware implants and backdoors or move to bricking targeted devices. They could control the boot operation and even gain full control over compromised systems.

As Eclypsium points out, firmware-level malware has a strategic importance: attackers can make sure their code runs first and is difficult to detect, and can remain hidden for very long periods of time, until the system’s firmware or hard drive are replaced.

“TrickBot has proven to be one of the most adaptable pieces of malware today, regularly incorporating new functionality to escalate privilege, spread to new devices, and maintain persistence on a host. The addition of UEFI functionality marks an important advance in this ongoing evolution by extending its focus beyond the operating system of the device,” Eclypsium notes.

This is not the first time TrickBot’s developers, which are believed to be none other than the cybercriminals behind the Dyre Trojan, have shown an interest in the use of established tools and exploits.

Previously, they adopted Mimikatz and EternalBlue for their malicious operations, and are now using an obfuscated version of the RwDrv.sys driver from the RWEverything (read-write everything) tool to access the SPI controller and verify whether the BIOS can be modified.

Previous instances in which cybercriminals abused such capabilities to maintain persistence into the firmware include LoJax malware attacks and the Slingshot APT campaign.

The new TrickBot module, the researchers explain, interacts with the SPI controller to check whether BIOS write protections are enabled. While the module hasn’t been seen modifying the BIOS itself, the malware does contain code that allows it to read and alter the firmware.

“This new capability provides TrickBot operators a way to brick any device it finds to be vulnerable. Recovering from corrupted UEFI firmware requires replacing or re-flashing the motherboard which is more labor-intensive than simply re-imagining or replacing a hard drive,” the researchers explain.

Related: NSA Publishes Guidance on UEFI Secure Boot Customization

Related: TrickBot Gets Updated to Survive Takedown Attempts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.