A stealthy Unified Extensible Firmware Interface (UEFI) bootkit known as BlackLotus has change into the primary identified malware able to bypassing Safe Boot defenses, making it a robust risk within the cyber panorama.
“This bootkit may even run on absolutely fashionable Home windows 11 methods with UEFI Safe Boot enabled,” stated Slovak cybersecurity agency ESET in a report shared with The Hacker Information.
UEFI bootkits are deployed within the system firmware and permit full management over the working system (OS) boot course of, enabling the overriding of OS-level safety mechanisms and the power to deploy arbitrary payloads with elevated privileges at boot time.
Priced at $5,000 (plus $200 for every subsequent new model), this highly effective, everlasting toolkit is programmed in meeting and C and is 80 kilobytes in dimension. It additionally has geofencing capabilities to stop infecting computer systems in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.
Particulars about BlackLotus first surfaced in October 2022, when Kaspersky safety researcher Sergey Lozhkin described BlackLotus as a classy crimeware resolution.
Scott Scheferman of Eclypsium OK.
In a nutshell, BlackLotus exploits a safety flaw tracked as CVE-2022-21894 (aka Baton Drop) to bypass UEFI Safe Boot protections and set persistence. This vulnerability has been resolved by Microsoft as a part of the January 2022 Patch Month-to-month Replace.
Profitable exploitation of this vulnerability may permit arbitrary code execution throughout the early boot phases, permitting an attacker to launch a malicious code with out bodily entry to a system with UEFI Safe Boot enabled. ESET says will probably be in a position to take motion.
ESET researcher Martin Smolár stated: “Affected validly signed binaries haven’t but been added to the UEFI revocation checklist and are due to this fact doubtlessly exploitable.”
“BlackLotus takes benefit of this by bringing its personal copy of a official however susceptible binary onto the system to be able to exploit the vulnerability,” successfully paves the way in which for Carry Your Personal Weak Driver (BYOVD) assaults. open
It has the power to show off safety mechanisms akin to BitLocker, Hypervisor-protected Code Integrity (HVCI) and Home windows Defender, in addition to drop kernel drivers and HTTP downloaders that talk with command and management (C2) servers. Designed. Get extra user-mode or kernel-mode malware.
The precise approach used to deploy the bootkit remains to be unknown, but it surely begins with the installer elements chargeable for writing information to the EFI system partition, disabling HVCI and BitLocker, and rebooting the host.
Following the reboot, CVE-2022-21894 is weaponized, persistence is achieved, and a bootkit is put in. It should then mechanically run each time the system boots to deploy the kernel driver.
The driving force is chargeable for launching a user-mode HTTP downloader and executing the following stage kernel-mode payload, the latter with the ability to execute instructions acquired from the C2 server over HTTPS.
This consists of downloading and working kernel drivers, DLLs, or common executables. It even will get bootkit updates and uninstalls bootkits from contaminated methods.
“In the previous few years, many important vulnerabilities have been found that have an effect on the safety of UEFI methods,” stated Smolár. “Sadly, because of the complexity of the whole UEFI ecosystem and the related provide chain points, many of those vulnerabilities stay unresolved lengthy after they’ve been mounted, or no less than even after they have been reportedly mounted. It left the system susceptible.”
“It was solely a matter of time earlier than somebody took benefit of those failures to create a UEFI bootkit that may work on methods with UEFI Safe Boot enabled.”