Why it issues: Found in October 2022, BlackLotus is a robust UEFI-compatible bootkit bought on underground marketplaces at $5,000 per license. The malware gives spectacular capabilities, and a brand new evaluation now confirms safety specialists’ worst fears.
BlackLotus is a potent menace towards fashionable firmware-based pc safety. This UEFI bootkit gives offensive capabilities beforehand out there solely to advanced-persistent threats (APT) and state-sponsored teams to script kiddies and any paying “buyer.” Kaspersky researchers found and dissected the malware in 2022 and located a really compact combination of Meeting and C code.
A brand new report by ESET analyst Martin Smolár now confirms some of the excellent and harmful capabilities of the malware: BlackLotus is the primary “in-the-wild” UEFI bootkit to compromise a system even when the Safe Boot characteristic is accurately enabled. Smolár says it is a malicious equipment that may run on totally up to date UEFI techniques.
BlackLotus may do its soiled deeds on a completely up to date Home windows 11 system. The Slovak safety enterprise says the malware is the primary publicly recognized menace designed to abuse the CVE-2022-21894 “Safe Boot Safety Characteristic Bypass Vulnerability.” Microsoft fastened this flaw in January 2022. Nevertheless, dangerous actors can nonetheless exploit it utilizing validly signed binary recordsdata not added to the UEFI revocation checklist.
The bootkit can disable many superior safety features on the OS degree, resembling BitLocker, HVCI, and Home windows Defender. Smolár notes that after put in, the malware’s main objective is to deploy a kernel driver, which protects the bootkit from removing. Then an HTTP downloader contacts the command&management server for additional directions or further user-mode or kernel-mode malicious payloads.
In keeping with Smolár, the BlackLotus provide found on hacker boards is real. The malware is as succesful as the unique vendor stated, and we do not know who created it but. Up to now, probably the most telling proof about its origins is that some BlackLotus installers don’t proceed with bootkit set up on techniques positioned in Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.
Smolár factors out that UEFI bootkits are “very {powerful} threats” as a result of they management the OS boot course of and disable varied OS safety mechanisms to deploy malicious payloads invisibly throughout startup. BlackLotus is the primary occasion of a genuinely omnipotent UEFI bookit found within the wild. It possible will not be the final since a proof-of-concept to take advantage of CVE-2022-21894 is already out there on GitHub.