BlackLotus Malware Bypasses Secure Boot on Windows MachinesFirst in-the-Wild Bootkit Exploits Microsoft Vulnerability, Boots Up on Windows 11
Eset researchers discovered the first in-the-wild bootkit malware, called BlackLotus, bypassing security and booting up on fully up-to-date Windows 11 systems.
Security researchers found the Unified Extensible Firmware Interface bootkit in 2022 being sold on hacking forums for $5,000.
Secure Boot is the industry standard for ensuring only trusted operating systems can boot up a computer. BlackLotus malware can run on fully patched Windows 11 systems despite UEFI Secure Boot being enabled. It exploits a vulnerability that is more than one year old, tracked as CVE-2022-21894, to bypass UEFI Secure Boot and set up persistence for the bootkit.
Microsoft fixed this vulnerability in its January 2022 patch update, but BlackLotus adds vulnerable binaries to the system in order to exploit it.
A proof-of-concept exploit for this vulnerability has been publicly available since August 2022.
The malware can disable OS security mechanisms such as BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender.
Martin Smolár, a malware analyst at Eset, says UEFI bootkits are very powerful threats. By gaining complete control over the OS boot process, he says, threat actors can disable "various OS security mechanisms" by "deploying their own kernel-mode or user-mode payloads in early OS startup stages."
This enables threat actors to operate stealthily and with high privileges, Smolár says.
Russian cybersecurity firm Kaspersky earlier this year spotted possible Chinese hackers modifying UEFI to implant malware known as CosmicStrand (see: Kaspersky Researchers Dissect Bootup Rootkit).
How BlackLotus Works
After installation, the malware deploys a kernal driver and an HTTP downloader responsible for communication with the command-and-control server and to load additional user-mode or kernel-mode payloads.
The bootkit is distributed in the form of installers and comes with two versions - offline and online. The difference between the two is the way they obtain legitimate Windows binaries used to circumvent the Secure Boot.
The installer is responsible for disabling "Windows security features such as BitLocker disk encryption and HVCI, and for deployment of multiple files, including the malicious bootkit, to the ESP," the researchers say.
Upon completion, the malware reboots the victim's machine, dropping additional files and ensuring the self-signed UEFI bootkit is executed silently on every system, irrespective of the UEFI Secure Boot protection status.
The malware does not proceed further if the victim's device is located in Romania, Russia, Ukraine, Belarus, Armenia or Kazakhstan, which indicates it may have originated from Russia or the Baltic region.