One of the Internet’s most aggressive threats could take UEFI malware mainstream

reader comments

58 with 47 posters participating

One of the Internet’s most aggressive threats has just gotten meaner, with the ability to infect one of the most critical parts of any modern-day computer.

Trickbot is a piece of malware that’s notable for its advanced capabilities. Its modular framework excels at gaining powerful administrator privileges, spreading rapidly from computer to computer in networks and performing reconnaissance that identifies infected computers belonging to high-value targets. It often uses readily available software like Mimikatz or exploits like EternalBlue stolen from the National Security Agency.

Once a simple banking fraud trojan, Trickbot over the years has evolved into a full-featured malware-as-a-service platform. Trickbot operators sell access to their vast number of infected machines to other criminals, who use the botnet to spread bank trojans, ransomware, and a host of other malicious software. Rather than having to go through the hassle of ensnaring victims themselves, customers have a ready-made group of computers that will run their crimeware.

The first link in the security chain

Now, Trickbot has acquired a new power: the ability to modify a computer’s UEFI. Short for Unified Extensible Firmware Interface, UEFI is the software that bridges a computer’s device firmware with its operating system. As the first piece of software to run when virtually any modern machine is turned on, it’s the first link in the security chain. Because the UEFI resides in a flash chip on the motherboard, infections are difficult to detect and remove.

According to research findings published on Thursday, Trickbot has been updated to incorporate an obfuscated driver for RWEverything, an off-the-shelf

Continue reading – Article source