DIGITAL LIFE

BlackLotus: first known malware capable of bypassing Secure Boot defenses

An invisible UEFI (Unified Extensible Firmware Interface) bootkit called BlackLotus became the first known malware capable of bypassing Secure Boot defenses.

“This bootkit can run even on fully updated Windows 11 systems with UEFI Secure Boot enabled,” Slovak cybersecurity company ESET said in a report it published.

Generally speaking, a UEFI bootkit resides in the system's firmware and provides full control over the operating system's boot process, thereby allowing operating system-level security mechanisms to be disabled.

BlackLotus retails for $5,000 (plus $200 for each subsequent version). It is powerful malware, 80 kilobytes in size. The malware can detect the user's location and thus avoid infection of computers located in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia and Ukraine.

Details about BlackLotus first surfaced in October 2022, with Kaspersky security researcher Sergei Lozhkin describing it as sophisticated crimeware.

BlackLotus uses a security vulnerability tracked as CVE-2022-21894 (Baton Drop) to bypass UEFI Secure Boot protections and ensure persistence. This vulnerability has been removed by Microsoft in an update released in January 2022.

Successful exploitation of the vulnerability, according to ESET, allows execution of arbitrary code during the initial stages of boot, allowing attackers to perform malicious actions on a UEFI Secure Boot enabled system without physical access.

“This is the first publicly known exploit of this vulnerability,” said ESET researcher Martin Smolar, who added that “exploitation is still possible”.

BlackLotus brings its own copies of legitimate but vulnerable binaries onto the system to exploit the vulnerability, paving the way for a Bring Your Own Vulnerable Driver (BYOVD) attack.

In addition to being able to disable security mechanisms such as BitLocker, HVCI (Hypervisor Protected Code Integrity) and Windows Defender, BlackLotus can also download additional malware.

The exact mode of operation of the bootkit is still unknown.

"Many critical vulnerabilities that affect the security of UEFI systems have been discovered in recent years," said Smolar. “Unfortunately, due to the complexity of the entire UEFI ecosystem and supply chain issues, many of these vulnerabilities left many systems vulnerable even long after the vulnerabilities were patched – or at least after we were told they were patched. "It was only a matter of time before someone exploited these bugs and made a UEFI bootkit capable of running on UEFI Secure Boot enabled systems."

by: mundophone