Threat Reports


Eclypsium Threat Report December 2020 Firmware Trickboot

This month’s top story in the threat landscape boils down to one word:  TrickBoot.  Put simply: the most prominent and dangerous criminal malware apparatus behind the TrickBot toolset (yes, the same campaigns that lead to the destructive Ryuk and Conti ransomware that’s netted the group over $150m in the last few years) now has a new capability aimed at firmware reconnaissance on any Intel host that is impacted by TrickBot. Our analysis is that there are hundreds of thousands of such infected hosts on any given Sunday.

Collaborative research between Vitali Kremez of Advanced Intelligence and Eclypsium’s Jesse Michael and Scott Scheferman discovered the following: the authors, known for their ability to develop and expand the codebase functionality of the toolset, have, for now, targeted the same vulnerability that LoJax had, reusing portions of an open-source project that allows an attacker to “read and write everything” at the firmware level. Our research shows that the code for this new TrickBoot module is one line away from being able to erase/corrupt the UEFI and brick a device.

We estimate there are millions of devices vulnerable out there already, there are hundreds of thousands of active TrickBot infections on any given day spread across the critical infrastructure, health, finance, and telecom industries already. This same toolset (TrickBot) has been reported to have been used by other “vetted customers” of the same group, North Korea being one of them. Last month we covered MosaicRegressor where after five whole years of the shared Vector-EDK UEFI code being publicly available, only one instance of its use in a campaign has ever been discovered. A month later, and now we are looking at a crimeware powerhouse with a massive distribution system (Emotet), resilient infrastructure, and the ability for TrickBot actors to perform automated reconnaissance in any target environment for firmware that can be bricked, or implanted with a persistence module or other payloads.

Read the full report >
Jump to mitigation >

Join AdvIntel and Eclypsium for a live webinar exploring the implications of Trickbot’s foray into firmware on December 9, 2020.

Vitali Kremez, Jesse Michael, Scott Scheferman
Bug Icon