Security Experts:

Connect with us

Hi, what are you looking for?



TrickBot Malware Can Scan Systems for Firmware Vulnerabilities

TrickBot has been updated with functionality that allows it to scan the UEFI/BIOS firmware of the targeted system for vulnerabilities, security researchers have discovered.

TrickBot has been updated with functionality that allows it to scan the UEFI/BIOS firmware of the targeted system for vulnerabilities, security researchers have discovered.

Around since 2016, the malware recently survived a takedown attempt that resulted in most of its command and control (C&C) domains becoming unresponsive. Since then, however, it received several updates that allow it not only to continue operation, but also to better survive similar attempts.

Identified by the security researchers at Advanced Intelligence (AdvIntel) and Eclypsium, the most recent of the newly added functionalities leverages readily available tools to identify vulnerabilities allowing attackers to modify the UEFI/BIOS firmware.

By exploiting such bugs, TrickBot operators could start using firmware implants and backdoors or move to bricking targeted devices. They could control the boot operation and even gain full control over compromised systems.

As Eclypsium points out, firmware-level malware has a strategic importance: attackers can make sure their code runs first and is difficult to detect, and can remain hidden for very long periods of time, until the system’s firmware or hard drive are replaced.

“TrickBot has proven to be one of the most adaptable pieces of malware today, regularly incorporating new functionality to escalate privilege, spread to new devices, and maintain persistence on a host. The addition of UEFI functionality marks an important advance in this ongoing evolution by extending its focus beyond the operating system of the device,” Eclypsium notes.

This is not the first time TrickBot’s developers, which are believed to be none other than the cybercriminals behind the Dyre Trojan, have shown an interest in the use of established tools and exploits.

Previously, they adopted Mimikatz and EternalBlue for their malicious operations, and are now using an obfuscated version of the RwDrv.sys driver from the RWEverything (read-write everything) tool to access the SPI controller and verify whether the BIOS can be modified.

Previous instances in which cybercriminals abused such capabilities to maintain persistence into the firmware include LoJax malware attacks and the Slingshot APT campaign.

The new TrickBot module, the researchers explain, interacts with the SPI controller to check whether BIOS write protections are enabled. While the module hasn’t been seen modifying the BIOS itself, the malware does contain code that allows it to read and alter the firmware.

“This new capability provides TrickBot operators a way to brick any device it finds to be vulnerable. Recovering from corrupted UEFI firmware requires replacing or re-flashing the motherboard which is more labor-intensive than simply re-imagining or replacing a hard drive,” the researchers explain.

Related: NSA Publishes Guidance on UEFI Secure Boot Customization

Related: TrickBot Gets Updated to Survive Takedown Attempts

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.