Researchers from the cybersecurity company ESET in Slovakia have discovered that a UEFI bootkit known as BlackLotus is capable of getting beyond UEFI Secure Boot, a crucial platform security feature. The researchers discovered that BlackLotus makes use of an outdated vulnerability and can function even on fully updated Windows 11 computers with UEFI Secure Boot enabled.
UEFI Secure Boot is a characteristic of the UEFI firmware, which has replaced the conventional BIOS (Basic Input/Output System) firmware found on older systems. Using Secure Boot, the device will only boot from reliable software and firmware. On the other side, a bootkit is a type of malware that affects how a machine boots up.
Since at least early October 2022, BlackLotus has been promoted and sold on darknet forums for $5,000, according to a press release from ESET. In a news release, Martin Smolár, an ESET researcher who oversaw the bootkit investigation, said that we can now provide proof that the bootkit is authentic. The advertisement is not only a fake.
BlackLotus Exploits An Earlier Weakness
BlackLotus uses a flaw that has been around for more than a year (CVE-2022-21894) to get around UEFI Secure Boot and set up persistence for the bootkit. This is the first time this vulnerability has been openly exploited in a practical setting.
BlackLotus can exploit the weakness and enable attackers to disable operating system security features, including BitLocker, HVCI, and Windows Defender, even though Microsoft released a cure for it in January 2022.
Because the properly signed binaries have still not been put on the UEFI revocation list, the mechanism to revoke the digital certificates of UEFI drivers, the bootkit, has been able to exploit the issue even after the January fix.
According to ESET, numerous UEFI vulnerabilities have kept systems susceptible even after the vulnerabilities have been addressed because of the complexity of the entire UEFI ecosystem and associated supply-chain issues.
Bootkit uses a kernel exploit to deploy the payload. After it has been deployed, BlackLotus’ main goal is to start the deployment of a kernel driver that will protect the bootkit from any removal efforts. Moreover, an HTTP downloader is deployed, allowing contact with the C&C server and loading additional user-mode or kernel-mode payloads.
In our telemetry from late 2022, we noticed a few hits on what turned out to be (with a high degree of certainty) the BlackLotus user-mode component, an HTTP downloader. “After a preliminary analysis, code patterns identified in the samples led us to the identification of six BlackLotus installers. As a result, we were able to examine the entire execution chain and determine that we were not dealing with your typical malware.
According to an analysis by ESET, some BlackLotus installation packages skip installing the bootkit if the afflicted host uses regional settings for Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine.
The limited amount of BlackLotus samples that we have been able to collect from both open sources and our telemetry leads us to suspect that few threat actors have yet to begin employing it, according to Smolar.
Because of the bootkit’s simple deployment and crimeware groups’ propensity for exploiting their botnets to disseminate malware, we are worried that things may alter drastically if they obtain it. To increase the likelihood that a threat will be halted at the source before it can attain pre-OS persistence, the ESET research team advises keeping systems and their security products up to date.
Conclusion
The virus has been enhanced by the creators of the BlackLotus UEFI bootkit with Secure Boot bypass features that enable it to infect even Windows 11 PCs that have been completely patched. The first known instance of UEFI malware that can bypass the Secure Boot process and deactivate the operating system’s built-in security measures is BlackLotus. The malware could be utilized to compromise the Hypervisor-protected Code Integrity (HVCI), also known as the Memory Integrity feature.
It guards against attempts to exploit the Windows Kernel, the BitLocker data protection feature, the Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity (HVCI). The software that links the operating system with the hardware that executes it is known as the Unified Extensible Firmware Interface (UEFI). Before the operating system begins any of its operations, low-level code controls the booting sequence and runs when the computer turns on.
