BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11
A
stealthy
Unified
Extensible
Firmware
Interface
(UEFI)
bootkit
called
BlackLotus
has
become
the
first
publicly
known
malware
capable
of
bypassing
Secure
Boot
defenses,
making
it
a
potent
threat
in
the
cyber
landscape.
“This
bootkit
can
run
even
on
fully
up-to-date
Windows
11
systems
with
UEFI
Secure
Boot
enabled,”
Slovak
cybersecurity
company
ESET
said
in
a
report
shared
with
The
Hacker
News.
UEFI
bootkits
are
deployed
in
the
system
firmware
and
allow
full
control
over
the
operating
system
(OS)
boot
process,
thereby
making
it
possible
to
disable
OS-level
security
mechanisms
and
deploy
arbitrary
payloads
during
startup
with
high
privileges.
Offered
for
sale
at
$5,000
(and
$200
per
new
subsequent
version),
the
powerful
and
persistent
toolkit
is
programmed
in
Assembly
and
C
and
is
80
kilobytes
in
size.
It
also
features
geofencing
capabilities
to
avoid
infecting
computers
in
Armenia,
Belarus,
Kazakhstan,
Moldova,
Romania,
Russia,
and
Ukraine.
Details
about
BlackLotus
first
emerged
in
October
2022,
with
Kaspersky
security
researcher
Sergey
Lozhkin
describing
it
as
a
sophisticated
crimeware
solution.
“This
represents
a
bit
of
a
‘leap’
forward,
in
terms
of
ease
of
use,
scalability,
accessibility,
and
most
importantly,
the
potential
for
much
more
impact
in
the
forms
of
persistence,
evasion,
and/or
destruction,”
Eclypsium’s
Scott
Scheferman
noted.
BlackLotus,
in
a
nutshell,
exploits
a
security
flaw
tracked
as
CVE-2022-21894
(aka
Baton
Drop)
to
get
around
UEFI
Secure
Boot
protections
and
set
up
persistence.
The
vulnerability
was
addressed
by
Microsoft
as
part
of
its
January
2022
Patch
Tuesday
update.
A
successful
exploitation
of
the
flaw
allows
arbitrary
code
execution
during
early
boot
phases,
permitting
a
threat
actor
to
carry
out
malicious
actions
on
a
system
with
UEFI
Secure
Boot
enabled
without
having
physical
access
to
it,
ESET
said.
“This
is
the
first
publicly
known,
in-the-wild
abuse
of
this
vulnerability,”
ESET
researcher
Martin
Smolár
said.
“Its
exploitation
is
still
possible
as
the
affected,
validly
signed
binaries
have
still
not
been
added
to
the
UEFI
revocation
list.”
“BlackLotus
takes
advantage
of
this,
bringing
its
own
copies
of
legitimate
–
but
vulnerable
–
binaries
to
the
system
in
order
to
exploit
the
vulnerability,”
effectively
paving
the
way
for
Bring
Your
Own
Vulnerable
Driver
(BYOVD)
attacks.
Besides
being
equipped
to
turn
off
security
mechanisms
like
BitLocker,
Hypervisor-protected
Code
Integrity
(HVCI),
and
Windows
Defender,
it’s
also
engineered
to
drop
a
kernel
driver
and
an
HTTP
downloader
that
communicates
with
a
command-and-control
(C2)
server
to
retrieve
additional
user-mode
or
kernel-mode
malware.
The
exact
modus
operandi
used
to
deploy
the
bootkit
is
unknown
as
yet,
but
it
starts
with
an
installer
component
that’s
responsible
for
writing
the
files
to
the
EFI
system
partition,
disabling
HVCI
and
BitLocker,
and
then
rebooting
the
host.
The
restart
is
followed
by
the
weaponization
of
CVE-2022-21894
to
achieve
persistence
and
install
the
bootkit,
after
which
it
is
automatically
executed
on
every
system
start
to
deploy
the
kernel
driver.
While
the
driver
is
tasked
with
launching
the
user-mode
HTTP
downloader
and
running
next-stage
kernel-mode
payloads,
the
latter
is
capable
of
executing
commands
received
from
the
C2
server
over
HTTPS.
This
includes
downloading
and
executing
a
kernel
driver,
DLL,
or
a
regular
executable;
fetching
bootkit
updates,
and
even
uninstalling
the
bootkit
from
the
infected
system.
“Many
critical
vulnerabilities
affecting
security
of
UEFI
systems
have
been
discovered
in
the
last
few
years,”
Smolár
said.
“Unfortunately,
due
the
complexity
of
the
whole
UEFI
ecosystem
and
related
supply-chain
problems,
many
of
these
vulnerabilities
have
left
many
systems
vulnerable
even
a
long
time
after
the
vulnerabilities
have
been
fixed
–
or
at
least
after
we
were
told
they
were
fixed.”
“It
was
just
a
matter
of
time
before
someone
would
take
advantage
of
these
failures
and
create
a
UEFI
bootkit
capable
of
operating
on
systems
with
UEFI
Secure
Boot
enabled.”
About Author
