Vital causes: Found in October 2022, BlackLotus is a robust UEFI-compatible bootkit bought on the underground market for $5,000 per license. The malware gives spectacular capabilities and new evaluation confirms the worst considerations of safety consultants.
BlackLotus is a robust menace to fashionable firmware-based pc safety. This UEFI bootkit supplies assault capabilities beforehand solely out there to Superior Persistent Threats (APTs) and state-sponsored teams to script kiddies and paying “clients”. Kaspersky researchers found and analyzed the malware in 2022 and located a really compact combination of meeting and C code.
A brand new report by ESET analyst Martin Smolár confirms one of many malware’s most distinguished and harmful options. BlackLotus is the primary “wild” UEFI bootkit to compromise techniques even when the Safe Boot characteristic is accurately enabled. Smolár says he is a totally up to date malicious package that may run on UEFI techniques.
BlackLotus can do soiled issues even on a totally up to date Home windows 11 system. The malware is the primary publicly identified menace designed to use CVE-2022-21894 Safe Boot Safety Characteristic Bypass Vulnerability, in accordance with a Slovak safety agency. is. Microsoft stated he mounted this vulnerability in January 2022. Nevertheless, the vulnerability could possibly be exploited by a malicious particular person utilizing a validly signed binary file that has not been added to the UEFI revocation listing.
Bootkits can disable many superior safety features on the OS stage, reminiscent of BitLocker, HVCI, and Home windows Defender. Smolár stated that when the malware is put in, its principal objective is to deploy kernel drivers that defend the bootkit from being eliminated. The HTTP downloader then contacts the command and management server for additional directions and extra user-mode or kernel-mode malicious payloads.
In accordance with Smolár, BlackLotus gives discovered on hacker boards are real. The malware is able to what the unique vendor stated it’s, and we nonetheless do not know who created it. Thus far, the obvious proof of its origin is that a few of his BlackLotus installers haven’t proceeded to put in bootkits on techniques positioned in Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.
Smolár factors out that UEFI bootkits are “a really highly effective menace.” That is to regulate the OS boot course of, disable varied OS safety mechanisms, and invisibly deploy a malicious payload throughout boot. BlackLotus is the primary occasion of his actually highly effective UEFI bookkit to be found within the wild. A proof of idea exploiting CVE-2022-21894 is already out there on his GitHub, so this is probably not the final.