TrickBot turns its attention to firmware vulnerabilities.
The TrickBot banking Trojan now has a module that probes for UEFI vulnerabilities on infected machines, researchers at Advanced Intelligence and Eclypsium have found. The malware hasn't been observed actually installing bootkits yet, but the researchers believe this is imminent. They explain that "the malware already contains code to read, write, and erase firmware. These primitives could be used to insert code to maintain persistence, as has been seen previously with the LoJax or MosaicRegressor. Attackers could also simply erase the BIOS region to completely disable the device as part of a destructive attack or ransomware campaign." The researchers also note that "[i]t is quite possible that threat actors are already exploiting these vulnerabilities against high-value targets."