A story of how an analysis of a supposed game cheat turned into the discovery of a powerful UEFI threat
Towards the end of 2022 an unknown threat actor boasted on an underground forum that they’d created a new and powerful UEFI bootkit called BlackLotus. Its most distinctive feature? It could bypass UEFI Secure Boot – a feature built into all modern computers to prevent them from running unauthorized software.
What at first sounded like a myth – especially on a fully updated Windows 11 system – has turned into reality a few months later, when ESET researchers found a sample that perfectly matched this main feature as well as all other attributes of the advertised bootkit.
In this episode of ESET Research podcast, ESET Distinguished Researcher and host of this podcast Aryeh Goretsky talks to ESET Malware Researcher Martin Smolár about how he discovered the threat and what the main findings of his analysis were.
In the discussion, Martin reveals that he initially considered the BlackLotus sample to be a game cheat and describes the moment when he realized that he had found something much more dangerous. To avoid a common misconception, Martin also explains the difference between malicious UEFI firmware implants and threats that “only” target the EFI partition. To make the information actionable for our listeners, the final part of the discussion explores the prevention and mitigation of UEFI attacks.
For more details such as who might be affected by BlackLotus or how a threat actor might obtain the bootkit, listen to the whole episode of ESET Research podcast on Spotify, Google Podcasts, Apple Podcasts, or PodBean. And if you like what you hear, subscribe for more.
About Author
