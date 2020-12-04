We frequently observe how new malware appears, some with greater impact than others, but with the same purpose, to take advantage of the weaknesses of our equipment and get the most out of it.

Among them, TrickBot stands out. This is a very peculiar malicious software, since it takes advantage of the UEFI vulnerabilities to take over the boot system of our computers. Situation that gives hackers total control over our machines

But what is UEFI?

UEFI – Unified Extensible Firmware Interface – is the first program to run when we turn on our computers. Its function is to manage the basic and advanced configurations of our system. Scheme promoted by companies like Intel, AMD, Microsoft and others, to “overcome BIOS limitations.”

As you can see, it is an essential factor in the startup of our teams. What’s going on here? As we already mentioned, hackers are taking advantage of the weaknesses of this interface to take control of our machine.

Its potential is such that it can be made from our credentials both to enter the machines and for those we operate on websites, emails, among other applications. Actually, it is very dangerous software.

TrickBot prevents us from reinstalling our operating system

Sometimes when we are faced with this kind of malware, as a last option we end up formatting our computers. But, TrickBot presents a big problem, since it prevents us from reinstalling our operating system. Even that we replace internal storage units, a hard drive, for example.

Cybersecurity companies AdvIntel and Eclypsium have taken on the task of investigating TrickBot’s behavior. These organizations have stated that the malware behaves “like a stage recognition tool.”

The software scans your computer to find weaknesses in the UEFI firmware, to read, write and even erase it. They have also reported that the attacks are targeting Intel platforms.

The report indicates that TrickBoot performs PCH queries to know the model that is running on the system under attack, so that it knows which platform it is facing.

Similarly, the study shows that this software uses fwexpl, a firmware exploit tool, to read and write data from hardware IO ports and physical memory addresses.

So how can we counter a TrickBot attack?

The researchers recommend using an “SPI flash programming device” to read the contents of the SPI memory chip, as long as the system is off. They also advise using open source tools to analyze our computers and determine if BIOS write protection is enabled or not. In addition to this, they suggest updating the firmware of our equipment.

However, they are actions that must be carried out by a professional due to the complexity of the matter. Even Jesse Michael, principal investigator at Eclypsium, says that “determining if a system has been compromised at the UEFI firmware level is a difficult job.”

Unfortunately for the victims, even after paying a ransom for the release of the system, TrickBot can continue to operate meticulously on their machines. In addition, you do not work alone, you have a connection with other cybercriminals, with whom you can share valuable information. Without a doubt, this is challenging and quite complex malware.

