2020-12-03:🔥 And ... [Major Discovery] 🤖"Persist, Brick, Profit -#TrickBot Offers New “#TrickBoot” UEFI-Focused Functionality"
🆕*First* Time Crimeware Group Pursued UEFI Firmware Exploitation | #YARA+IOCs in MISP JSON/CSV
@eclypsium | @IntelAdvanced
advanced-intel.com/post/persist-b…
🆕*First* Time Crimeware Group Pursued UEFI Firmware Exploitation | #YARA+IOCs in MISP JSON/CSV
@eclypsium | @IntelAdvanced
advanced-intel.com/post/persist-b…
📚:
1⃣TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable.
2⃣Historically, TrickBot actors have needed to evade and persist at the OS level - now a chance at UEFI level.
3⃣Actors are going lower in the stack to avoid detection.
1⃣TrickBoot is only one line of code away from being able to brick any device it finds to be vulnerable.
2⃣Historically, TrickBot actors have needed to evade and persist at the OS level - now a chance at UEFI level.
3⃣Actors are going lower in the stack to avoid detection.
✅Evolution of criminal intent:
⚓️Deep persistence achieved via UEFI/BIOS level to survive long-term on the host
⚡️New Incident Response Paradigm Shift:
*Firmware integrity checks might be particularly important for device that is known to have been compromised by TrickBot.*
⚓️Deep persistence achieved via UEFI/BIOS level to survive long-term on the host
⚡️New Incident Response Paradigm Shift:
*Firmware integrity checks might be particularly important for device that is known to have been compromised by TrickBot.*
🤔The TrickBot module is checking the SPI controller to check if BIOS write protection is enabled.
The malware already contains code to read, write, and erase firmware.
These primitives could be used to insert code to maintain persistence as with #LoJax or #MosaicRegressor.
The malware already contains code to read, write, and erase firmware.
These primitives could be used to insert code to maintain persistence as with #LoJax or #MosaicRegressor.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
