Cybercrime , Endpoint Security , Fraud Management & Cybercrime

BlackLotus Malware Bypasses Secure Boot on Windows Machines

First in-the-Wild Bootkit Exploits Microsoft Vulnerability, Boots Up on Windows 11
BlackLotus Malware Bypasses Secure Boot on Windows Machines

Eset researchers discovered the first in-the-wild bootkit malware, called BlackLotus, bypassing security and booting up on fully up-to-date Windows 11 systems.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Security researchers found the Unified Extensible Firmware Interface bootkit in 2022 being sold on hacking forums for $5,000.

Secure Boot is the industry standard for ensuring only trusted operating systems can boot up a computer. BlackLotus malware can run on fully patched Windows 11 systems despite UEFI Secure Boot being enabled. It exploits a vulnerability that is more than one year old, tracked as CVE-2022-21894, to bypass UEFI Secure Boot and set up persistence for the bootkit.

Microsoft fixed this vulnerability in its January 2022 patch update, but BlackLotus adds vulnerable binaries to the system in order to exploit it.

A proof-of-concept exploit for this vulnerability has been publicly available since August 2022.

The malware can disable OS security mechanisms such as BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender.

Martin Smolár, a malware analyst at Eset, says UEFI bootkits are very powerful threats. By gaining complete control over the OS boot process, he says, threat actors can disable "various OS security mechanisms" by "deploying their own kernel-mode or user-mode payloads in early OS startup stages."

This enables threat actors to operate stealthily and with high privileges, Smolár says.

Russian cybersecurity firm Kaspersky earlier this year spotted possible Chinese hackers modifying UEFI to implant malware known as CosmicStrand (see: Kaspersky Researchers Dissect Bootup Rootkit).

How BlackLotus Works

After installation, the malware deploys a kernal driver and an HTTP downloader responsible for communication with the command-and-control server and to load additional user-mode or kernel-mode payloads.

The bootkit is distributed in the form of installers and comes with two versions - offline and online. The difference between the two is the way they obtain legitimate Windows binaries used to circumvent the Secure Boot.

The installer is responsible for disabling "Windows security features such as BitLocker disk encryption and HVCI, and for deployment of multiple files, including the malicious bootkit, to the ESP," the researchers say.

Upon completion, the malware reboots the victim's machine, dropping additional files and ensuring the self-signed UEFI bootkit is executed silently on every system, irrespective of the UEFI Secure Boot protection status.

The malware does not proceed further if the victim's device is located in Romania, Russia, Ukraine, Belarus, Armenia or Kazakhstan, which indicates it may have originated from Russia or the Baltic region.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.