Why it issues: Found in October 2022, BlackLotus is a robust UEFI-compatible bootkit bought on underground marketplaces at $5,000 per license. The malware offers spectacular capabilities, and a brand new evaluation now confirms safety consultants’ worst fears.
BlackLotus is a potent risk towards fashionable firmware-based pc safety. This UEFI bootkit provides offensive capabilities beforehand out there solely to advanced-persistent threats (APT) and state-sponsored teams to script kiddies and any paying “buyer.” Kaspersky researchers found and dissected the malware in 2022 and located a really compact combination of Meeting and C code.
A brand new report by ESET analyst Martin Smolár now confirms some of the excellent and harmful capabilities of the malware: BlackLotus is the primary “in-the-wild” UEFI bootkit to compromise a system even when the Safe Boot characteristic is accurately enabled. Smolár says it is a malicious equipment that may run on totally up to date UEFI programs.
BlackLotus may also do its soiled deeds on a totally up to date Home windows 11 system. The Slovak safety enterprise says the malware is the primary publicly identified risk designed to abuse the CVE-2022-21894 “Safe Boot Safety Characteristic Bypass Vulnerability.” Microsoft fastened this flaw in January 2022. Nevertheless, unhealthy actors can nonetheless exploit it utilizing validly signed binary recordsdata not added to the UEFI revocation list.
The bootkit can disable many superior security measures on the OS degree, akin to BitLocker, HVCI, and Home windows Defender. Smolár notes that after put in, the malware’s main purpose is to deploy a kernel driver, which protects the bootkit from elimination. Then an HTTP downloader contacts the command&management server for additional directions or further user-mode or kernel-mode malicious payloads.
In response to Smolár, the BlackLotus provide found on hacker boards is real. The malware is as succesful as the unique vendor mentioned, and we do not know who created it but. Thus far, essentially the most telling proof about its origins is that some BlackLotus installers don’t proceed with bootkit set up on programs situated in Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.
Smolár factors out that UEFI bootkits are “very {powerful} threats” as a result of they management the OS boot course of and disable numerous OS safety mechanisms to deploy malicious payloads invisibly throughout startup. BlackLotus is the primary occasion of a genuinely omnipotent UEFI bookit found within the wild. It probably will not be the final since a proof-of-concept to use CVE-2022-21894 is already out there on GitHub.