Mobile and Desktop Processors
Intel® Core™ processors, Intel Atom® processors, tools, and utilities
Announcements
FPGA community forums and blogs have moved to the Altera Community. Existing Intel Community members can sign in with their current credentials.
16871 Discussions

Trying to extricate extremely sticky malware from TPM and/or BIOs

M1904trading
Beginner
5,624 Views

Hi, 

 

The other day I made a post trying to identify a "bug" aka malicious code, virus, malware that has been afflicting my systems. I'll try and keep this short.

  • It is using a virtual machine
  • It is embedded into either the TPM or the BIOS (or some other rom)
  • It is using the TPM to shimmy its way to my processor where it then broadcasts an ARP from "intelcor_xx:xx:xx" until it will completely hijack both my network and my machine
  • It is using commonly name windows files
  • It is operating primarily out of "Explorer.exe" (in windows 10)
  • It is much more prolific in Windows 10
  • It has been a phased attack, both in aggression and symptoms
  • It is reactive, and counters any type of counter measure i deploy
  • It was reactive to AV software
    1. It caused one of the most violent BSOD's I've ever seen when I tried to run Hitman Pro. Agent against it. Resulting in two NVMe drives wiped, and a third write protected. Almost as a self destruct mechanism
  • It is using mount points in Windows to hide volumes
  • It affects all networked devices: including IOS, Android, and IoT devices
  • I can see the volumes it creates from the bios
  • It has cracked or stolen all of my secure boot keys
  • It has stolen my ukey
  • It has read, write, and execution privilege's
  • It's primary goal is a complete takeover of the machine, seemingly. 
    1. This was not always the case, with the primary goal being reputational harm until I had discovered it  
  • It or an associated attack vector are capable of DNS and Domain attacks including MITM and DDOs.
    1. Could be coincidental, highly doubted
  • This was most likely the work of a very clever spoof website or a phishing email. 
  • It has extricated personal data
  • It has intervened in my personal, and business communications
  • It is redirecting to port 453, which is known to generate malicious code
    1. Most likely where the trojan/worm transport came from
  • I am also being redirected to port 853, most likely a command and control 
  • The logs and .DMP files Literally read like someone breaking into my house and it is extremely unsettling
    1. It took me exorcising it from the VM enabling a ukey in order to find the .dmp and log files as it is extremely efficient in deleted/hiding them
  • Forgot to mention this has actively countered any software I've ran against it including"
    • Wireshark
      • Physically broke via driver mismatch
    • Portmaster
      • Physically broke via driver mismatch
    • Hitman Pro
      • Turned into a martyrdom grenade
    • Whocrashed
      • Not seeing anything
    • Windows defender
      • Not seeing anything

I know this is probably the wrong place for this, but I'd like to speak to someone who has a better understand of these things as I am so far incredibly out of my depth, and It's to the point where I'm literally being denied my own internet service and devices. 

 

Thanks in advance. 

 

Specs:

  • Intel Core i9 12900k
  • MSI Unify Z690
  • Corsair Vengeance 32gb ram (2x16)
  • WD Black 500gb NVMe x2
  • Crucial P5 1tb NVMe
  • TeamGroup Cardera 1tb NVMe
  • Crucial BX500 1tb SSD x2
  • WD compact 1tb SSD
  • EVGA Nvidia 3060 ti
  • EVGA Nvidia 2060 KO Ultra
  • Windows 11, latest distro, fully updated

I appreciate any response

0 Kudos
12 Replies
AlHill
Super User
5,593 Views

www.bleepingcomputer.com can help you with Virus/malware removal.

 

Doc (not an Intel employee or contractor)
[Maybe Windows 12 will be better]

0 Kudos
Steven_Intel
Moderator
5,551 Views

Hello M1904trading,


Thank you for posting on the Intel® communities.


Were you able to check the previous post?


Let us know if you still need assistance.


Best regards,


Steven G.

Intel Customer Support Technician.


0 Kudos
M1904trading
Beginner
5,539 Views
Yes i thought i had replied to it.

Regardless, caught the ************* today. Found an unprotected .dll. Followed path. Teleported me right behind his lines.

He was definitely using a VM, even two today. And had a multitude of files with just my initials; it looks to be primarily or at least was primarily surveillance.

Updating with ss’s as soon as he stops being a sore loser and gives me back my network.
0 Kudos
Steven_Intel
Moderator
5,522 Views

Thank you for your response.


Please let us know once you have an update. 


Best regards,


Steven G.

Intel Customer Support Technician.


0 Kudos
Steven_Intel
Moderator
5,487 Views

Hello M1904trading,

 

Thank you for your response.

 

I will research that information to answer your question, and I will let you know once I have an update.

 

Please let us know through this thread if you have any concerns.

 

Best regards,

 

Steven G.

Intel Customer Support Technician.

 

0 Kudos
Steven_Intel
Moderator
5,464 Views

Hello M1904trading,


This does not seem to be related to the processor, but we would like to gather more information and check if there is anything we can help with:


  • How did you realize this was done through TPM?
  • Do you know where is the malware coming from? A specific app, maybe?
  • Have you contacted the Original Equipment Manufacturer (OEM) to check if there is anything similar reported?


Best regards,


Steven G.

Intel Customer Support Technician.


0 Kudos
M1904trading
Beginner
5,456 Views

You can see them attack it in the logs. It's the first thing they go after. Plus, and i know this sounds bat**bleep** but the entire story situation is, but i found an entire file unironically called "TPM" in their VM they left nested on one of my machines. 

 

It's primarily a root kit, and that root kit takes up residence in 5-6 modules of the PCI. And that's where they "stage" so to speak. For me, they had a completely 1:1 build, or more accurately an emulation of windows 10 that is primarily meant to encapsulate the victim. Btw, just last night i found a full list of victims or targets, and files of individual targets up into the 27,000's. 

 

I have a dump of their windows build here: https://drive.google.com/drive/folders/1yK4amQJ46beOthz8huv7saUIr_J1rqCw

 

Use a sandbox and exercise extreme caution. The original disk image or hkey's are self aware and check to see if they're in a VM. 

 

Btw, majority of his "toolkit" don't show up on virustotal, or anyone else's radar besides Kaspersky. Your standard malware scans WILL NOT WORK. They're all legitimately signed and have all the correct paperwork. 

 

The primary tool these guys are using they call "Gcry" which we all know what it is. And the ones i did have hit are:

 

  • Trojan
    • Win32
      • Jobutyve
        • Aie
        • ibyj
      • Fsysna.ibrm
        • Icuc
      • Cobalt
        • hzr
    • Win64
      • Agentb.byo
        • .byn
        • Byp
      • Cobalt
        • Lk
        • Lj
        • Gis
        • Hab
        • Gwx
        • Ggy
      • Agent
        • Qwhzba
      • Agentb
        • Byo
        • Byn
        • Byp

 

This **bleep** gets way weirder and way deeper. If you'd like we can get on a call to discuss more. 

 

0 Kudos
M1904trading
Beginner
5,454 Views

By the way they were actively trying to prevent this from being posted. 

0 Kudos
Steven_Intel
Moderator
5,438 Views

Thank you for your response.


We are going to take this information and research about it. As soon as I have an update, I will let you know.


Best regards,


Steven G.

Intel Customer Support Technician.


0 Kudos
Steven_Intel
Moderator
5,404 Views

Hello M1904trading,


Based on our research, please report this issue to our security team by sending them an email to secure@intel.com so they can investigate.


Please let me know if you have any concerns.


Best regards,


Steven G.

Intel Customer Support Technician.


0 Kudos
Steven_Intel
Moderator
5,367 Views

Hello M1904trading,


Were you able to check the previous post?


Let us know if you have any concern.


Best regards,


Steven G.

Intel Customer Support Technician.



0 Kudos
Steven_Intel
Moderator
5,350 Views

Since we have not heard back from you, we will close this thread. If you need any additional information, please submit a new question, as this thread will no longer be monitored.


Best regards,


Steven G.

Intel Customer Support Technician.



0 Kudos
Reply