The Unified Extensible Firmware Interface (UEFI) BlackLotus Bootkit was the first known malware capable of bypassing Secure Boot protection. informed Resource The Hacker News referring to report Slovak cybersecurity company ESET. “This bootkit can even run on fully upgraded Windows 11 systems with UEFI Secure Boot enabled.” — noted ESET.
Image source: The Hacker News
The first details about BlackLotus were revealed in October 2022 by Sergey Lozhkin, a researcher at Kaspersky Lab, who described the bootkit as sophisticated criminal software.
BlackLotus exploits a vulnerability to bypass UEFI Secure Boot security CVE-2022-21894 (Baton Drop). According to ESET, this flaw allows execution of arbitrary code in early boot phases, which allows deployment on a system with enabled UEFI Secure Boot mechanism without physical access to it.
BlackLotus is offered on the dark web for $5,000 plus $200 for each subsequent version. This powerful and robust 80-kilobyte toolkit is written in assembler and C. BlackLotus can also determine the geofence to avoid infecting computers in the CIS countries.
To fix the vulnerability, Microsoft released the Microsoft January 2022 Patch Tuesday in January 2022. ESET researcher Martin Smolár. warned that the BlackLotus threat persists as signed malware binaries have not yet been added to the UEFI revocation list.
In addition to disabling security mechanisms such as BitLocker, Hypervisor-protected Code Integrity (HVCI) protection, and Windows Defender, the bootkit is designed to remove the kernel driver and HTTP loader associated with the command-and-control infrastructure (C2 ) to interact. to launch additional malware programs in user mode or kernel mode.
Add Comment