ESET researchers have published the first analysis of a UEFI bootkit capable of bypassing UEFI Secure Boot, a critical Windows security feature. This threat would already have a name: BlackLotus.
BlackLotus, a UEFI bootkit sold on hacking forums for around $5,000presumably now allows bypassing Windows 11 Secure Boot, making it the first known malware to work on Windows systems even if the firmware security feature is enabled.
As a reminder, UEFI stands for Unified Extensible Firmware Interface, and it is the successor to traditional BIOS firmware (Basic Input/Output System). On the other hand, Secure Boot is designed to ensure that the system only boots with reliable software and firmware. Bootkit, on the other hand, is malware that infects a computer’s startup process.
BlackLotus becomes one of the most dangerous malware in the world
UEFI bootkits are very powerful threats, which fully control the operating system boot process and hence are capable of disable various operating system security mechanisms and deploy their own kernel-mode or user-mode payloads in the early stages of booting your PC. This allows them to operate very stealthily and with elevated privileges. So far, only a few have been discovered in nature and publicly described.
BlackLotus may in particular disable operating system security mechanisms such as BitLocker, HVCI, and Windows Defender. Once installed, the main purpose of the bootkit is to deploy a kernel driver (which, among other things, protects the bootkit from removal) and an HTTP downloader responsible for communicating with the Command and Control server and capable of loading payloads useful extras in user mode or kernel mode.
Read also – Hackers are currently carrying out an international attack, update this software quickly
BlackLotus would be very active in Eastern Europe
To work, BlackLotus would exploit a more than year-old vulnerability, CVE-2022-21894, to bypass the secure boot process and establish persistence. Microsoft would have corrected it in January 2022but forgot to add the affected binaries to the UEFI revocation list.
BlackLotus is programmed in Assembly and C language and is 80 kilobytes in size, and has already been used to infect PCs in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia and Ukraine. For our part, remember that France is the 5th country most targeted by certain cyberattacks.
The first details about BlackLotus emerged in October 2022. Kaspersky security researcher Sergey Lozhkin described it as sophisticated crimeware. At this time, ESET believes that the malware has not yet been used by many hackerswhich may facilitate its eradication.
How to eradicate BlackLotus from infected PCs?
Although BlackLotus is stealthy and has extensive anti-removal protections, ESET researchers believe they have discovered a weakness in the way the HTTP downloader passes commands to the kernel driver, which could allow users to remove the bootkit.
” In case the HTTP downloader wants to pass a command to the kernel driver, it simply creates a named section, writes a command with the associated data inside, and waits for the command to be processed by the driver by creating an event named and waiting for the pilot to trigger it (or report it) “says ESET.
So, kernel driver supports install and uninstall commands And “ can be tricked into completely uninstalling the bootkit by creating the aforementioned named objects and sending the uninstall command “.
ESET already announces that a simple update to the UEFI revocation list would mitigate the threat posed by BlackLotus, but would not remove the bootkit from infected systems. For that, a fresh installation of Windows would be required, as well as the deletion of the MOK key saved by the attackers (using the mokutil utility, for example).
” The best advice, of course, is to keep your system and its security product up to date to increase the chances of a threat being stopped early on, before it is able to reach pre-OS systems. concludes Smolár, the ESET researcher.