Supermicro and Pulse Secure have released advisories warning that some of their motherboards are vulnerable to the TrickBot malware’s UEFI firmware-infecting module, known as TrickBoot. Last year, cybersecurity firms Advanced Intelligence and Eclypsium released a joint report about a new malicious firmware-targeting ‘TrickBoot’ module delivered by the notorious TrickBot malware. When executed, the module will analyze a device’s UEFI firmware to determine if it has ‘write protection’ disabled. If it is, the malware contains the functionality to read, write, and erase the firmware. This could allow the malware to perform various malicious activities, such as bricking a device, bypassing operating system security controls, or reinfecting a system even after a full reinstall. To check if a UEFI BIOS has ‘write protection’ enabled, the module uses the RwDrv.sys driver from the RWEverything utility.
