BlackLotus UEFI bootkit can defeat Secure Boot protection

Why it issues: Found in October 2022, BlackLotus is a strong UEFI-compatible bootkit bought on underground marketplaces at $5,000 per license. The malware gives spectacular capabilities, and a brand new evaluation now confirms safety specialists’ worst fears.

BlackLotus is a potent risk towards fashionable firmware-based laptop safety. This UEFI bootkit provides offensive capabilities beforehand accessible solely to advanced-persistent threats (APT) and state-sponsored teams to script kiddies and any paying “buyer.” Kaspersky researchers found and dissected the malware in 2022 and located a really compact combination of Meeting and C code.

A brand new report by ESET analyst Martin Smolár now confirms probably the most excellent and harmful capabilities of the malware: BlackLotus is the primary “in-the-wild” UEFI bootkit to compromise a system even when the Safe Boot characteristic is accurately enabled. Smolár says it is a malicious equipment that may run on totally up to date UEFI programs.

BlackLotus can even do its soiled deeds on a totally up to date Home windows 11 system. The Slovak safety enterprise says the malware is the primary publicly recognized risk designed to abuse the CVE-2022-21894 “Safe Boot Safety Function Bypass Vulnerability.” Microsoft mounted this flaw in January 2022. Nonetheless, unhealthy actors can nonetheless exploit it utilizing validly signed binary information not added to the UEFI revocation list.

The bootkit can disable many superior security measures on the OS degree, akin to BitLocker, HVCI, and Home windows Defender. Smolár notes that when put in, the malware’s main aim is to deploy a kernel driver, which protects the bootkit from removing. Then an HTTP downloader contacts the command&management server for additional directions or further user-mode or kernel-mode malicious payloads.

In keeping with Smolár, the BlackLotus supply found on hacker boards is real. The malware is as succesful as the unique vendor mentioned, and we do not know who created it but. To date, probably the most telling proof about its origins is that some BlackLotus installers don’t proceed with bootkit set up on programs situated in Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.

Smolár factors out that UEFI bootkits are “very {powerful} threats” as a result of they management the OS boot course of and disable numerous OS safety mechanisms to deploy malicious payloads invisibly throughout startup. BlackLotus is the primary occasion of a genuinely omnipotent UEFI bookit found within the wild. It doubtless will not be the final since a proof-of-concept to take advantage of CVE-2022-21894 is already accessible on GitHub.