Last year, cybersecurity companies Advanced Intelligence and Eclypsium launched a joint report regarding a new malicious firmware-targeting ‘TrickBoot’ module delivered by the well-known TrickBot malware. When the TrickBoot module is executed, it will examine a gadget’s UEFI firmware to determine if it has ‘compose defense’ disabled. If it is, the malware contains the performance to check out, compose, and remove the firmware.
This might allow the malware to execute numerous destructive activities, such as bricking a gadget, bypassing operating system security controls, or reinfecting a system even after a complete reinstall.
To examine if a UEFI BIOS has 'write protection' enabled, the module utilizes the RwDrv.sys chauffeur from the RWEverything energy.
Cybersecurity firms Advanced Intelligence and Eclypsium released a joint statement reading – “All requests to the UEFI firmware stored in the SPI flash chip go through the SPI controller, which is part of the Platform Controller Hub (PCH) on Intel platforms. This SPI controller includes access control mechanisms, which can be locked during the boot process in order to prevent unauthorized modification of the UEFI firmware stored in the SPI flash memory chip.”
“Modern systems are intended to enable those BIOS write protections to prevent the firmware from being modified; however, these protections are often not enabled or misconfigured. If the BIOS is not write-protected, attackers can easily modify the firmware or even delete it completely,” it further reads.
The malware’s ability to ..
Support the originator by clicking the read the rest link below.
