BlackLotus UEFI bootkit defeats Secure Boot protection

Why this is important: Discovered in October 2022, BlackLotus is a powerful UEFI-compatible bootkit sold on the underground marketplace for $5,000 per license. The malware offers impressive capabilities, and new analysis has now confirmed security experts’ worst fears.

BlackLotus is a powerful threat against modern firmware-based computer security. This UEFI bootkit provides offensive capabilities previously only available to advanced-persistent threats (APT) and state-sponsored groups to script kiddies and any paying “customer.” Kaspersky researchers discovered and dissected the malware in 2022 and found a very compact combination of Assembly and C code.

A new report by ESET analyst Martin Smolár has now confirmed one of the most unique and dangerous malware capabilities: BlackLotus is the first “in-the-wild” UEFI bootkit to compromise a system even if the Secure Boot feature is properly enabled. Smolár says this is a malicious kit that can run on fully updated UEFI systems.

BlackLotus can also do its dirty work on a fully updated Windows 11 system. The Slovak security company said the malware is the first publicly known threat designed to abuse the CVE-2022-21894 “Secure Boot Security Feature Bypass Vulnerability.” Microsoft fixed this flaw in January 2022. However, bad actors can still exploit it using a valid signed binary file that is not added to the UEFI recovery list.

The bootkit can disable many advanced security features at the OS level, such as BitLocker, HVCI, and Windows Defender. Smolár noted that once installed, the main purpose of the malware is to deploy a kernel driver, which protects the bootkit from being removed. Then an HTTP downloader contacts the command&control server for additional instructions or additional user-mode or kernel-mode malicious payloads.

According to Smolár, the BlackLotus offer discovered on hacker forums is real. The malware is just as capable as the original seller said, and we still don’t know who made it. So far, the most telling evidence about its origin is that some BlackLotus installers have not proceeded to install the bootkit on systems located in Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.

Smolár points out that UEFI bootkits are “very powerful threats” because they control the OS boot process and disable various OS security mechanisms to prevent malicious payloads from appearing in time. to begin with. BlackLotus is the first time a truly powerful UEFI bookit has been discovered in the wild. This may not be the last as a proof-of-concept exploit for CVE-2022-21894 is now available on GitHub.

Leave a Comment