BlackLotus malware can bypass secure boot • The Register

BlackLotus, a UEFI bootkit that is offered on hacking boards for about $5,000, can now bypass Safe Boot, making it the primary recognized malware to run on Home windows methods even with the firmware safety characteristic enabled.

Safe Boot is meant to forestall units from working unauthorized software program on Microsoft machines. However by focusing on UEFI the BlackLotus malware hundreds earlier than the rest within the booting course of, together with the working system and any safety instruments that might cease it.

Kaspersky’s lead safety researcher Sergey Lozhkin first saw BlackLotus being offered on cybercrime marketplaces again in October 2022 and safety specialists have been taking aside piece by piece ever since.

In research revealed at present, ESET malware analyst Martin Smolár, says the parable of an in-the-wild bootkit bypassing safe boot “is now a actuality,” versus the standard slew of faux adverts by criminals making an attempt to rip-off their fellow miscreants. 

The newest malware “is able to working on even fully-up-to-date Home windows 11 methods with UEFI Safe Boot enabled,” he added.

BlackLotus exploits a greater than one-year-old vulnerability, CVE-2022-21894, to bypass the safe boot course of and set up persistence. Microsoft fixed this CVE in January 2022, however miscreants can nonetheless exploit it as a result of the affected signed binaries haven’t been added to the UEFI revocation list, Smolár famous.

“BlackLotus takes benefit of this, bringing its personal copies of legit – however weak – binaries to the system so as to exploit the vulnerability,” he wrote.

Plus, a proof-of-concept exploit for this vulnerability has been publicly accessible since August 2022, so anticipate to see extra cybercriminals utilizing this challenge for illicit functions quickly.

Making it much more tough to detect: BlackLotus can disable a number of OS safety instruments together with BitLocker, Hypervisor-protected Code Integrity (HVCI) and Home windows Defender, and bypass Consumer Account Management (UAC), in line with the safety store.

And whereas the researchers do not attribute the malware to a specific gang or nation-state group, they do word that the BlackLotus installers they analyzed will not proceed if the compromised laptop is situated in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

As soon as BlackLotus exploits CVE-2022-21894 and turns off the system’s safety instruments, it deploys a kernel driver and an HTTP downloader. The kernel driver, amongst different issues, protects the bootkit recordsdata from removing, whereas the HTTP downloader communicates with the command-and-control server and executes payloads.

The bootkit analysis follows UEFI vulnerabilities in Lenovo laptops that ESET found final spring, which, amongst different issues, permit attackers to disable safe boot. 

“It was only a matter of time earlier than somebody would make the most of these failures and create a UEFI bootkit able to working on methods with UEFI Safe Boot enabled,” Smolár wrote. ®