This new threat has an extra risk, not only because it is usually invisible to antivirus programs that we install on computers, but because it manages to bypass the security of the Windows PC. Or rather, it has the ability to bypass a security system that we will see below.
Bypasses Windows Secure Boot
In this case, we are dealing with a novel UEFI boot kit for Windows, known for being the first malware capable of bypass secure boot of computers with this operating system. Therefore, it can bring users who have a Windows PC headlong. Even, according to the cybersecurity company ESET, ‘this bootkit can run even on fully updated Windows 11 systems with UEFI Secure Boot enabled‘.
So, by being implemented in the PC’s UEFI firmware, you can gain full control over Windows startup. In this way, it is achieved disable security mechanisms that have the operating system, in this case, the Microsoft system. We must keep in mind that the UEFI firmware was integrated to be the perfect replacement for the old BIOSes.
Furthermore, according to cyber security researcher Scott Scheferman, the license to get hold of this malware is $5,000. And, that’s not all, but for an additional $200 new versions can be released whenever necessary. Although, the problem does not end there for Windows computers.
The biggest drawback of this malware is that, with only a size of 80 Kbytes, it is completely invisible to antivirus. For what has been called, according to cybersecurity researchers, as the first virus known to bypass the secure boot of Windows.
The vulnerability that BlackLotus exploits
This malware is antivirtualization, antidebugging, and code obfuscation. Furthermore, Black Lotus can also disable security solutions. Basically, this is because this malware takes advantage of a security vulnerability which has been tagged as CVE-2022-21894. In this way, it manages to completely bypass Windows protections for UEFI Secure Boot. And not only this, but you can also configure persistence.
In early 2022, Microsoft already tried to address this vulnerability that could be exploited by third parties. Nevertheless, cybercriminals can still exploit itGiven the ‘signed binaries that have been affected have not yet been added to the UEF revocation listI’, according to Martin Smolár, ESET researcher.
Furthermore, another major drawback of this malware is that it is unknown, for the moment, the modus operandi that you use when deploying the boot kit to a Windows computer. Furthermore, if these types of threats were only in the hands of a few people before, now they are available to criminals on all forums. So the risk is higher.