BlackLotus UEFI bootkit can defeat Secure Boot protection

The myth is real now, and you can't protect yourself from the ghost in the machine

By Alfonso Maruccia March 2, 2023, 14:43 12 comments

BlackLotus UEFI bootkit can defeat Secure Boot protection

Serving tech enthusiasts for over 25 years.
TechSpot means tech analysis and advice you can trust.

Why it matters: Discovered in October 2022, BlackLotus is a powerful UEFI-compatible bootkit sold on underground marketplaces at $5,000 per license. The malware provides impressive capabilities, and a new analysis now confirms security experts' worst fears.

BlackLotus is a potent threat against modern firmware-based computer security. This UEFI bootkit provides offensive capabilities previously available only to advanced-persistent threats (APT) and state-sponsored groups to script kiddies and any paying "customer." Kaspersky researchers discovered and dissected the malware in 2022 and found a very compact mixture of Assembly and C code.

A new report by ESET analyst Martin Smolár now confirms one of the most outstanding and dangerous capabilities of the malware: BlackLotus is the first "in-the-wild" UEFI bootkit to compromise a system even when the Secure Boot feature is correctly enabled. Smolár says it's a malicious kit that can run on fully updated UEFI systems.

BlackLotus can also do its dirty deeds on a fully updated Windows 11 system. The Slovak security enterprise says the malware is the first publicly known threat designed to abuse the CVE-2022-21894 "Secure Boot Security Feature Bypass Vulnerability." Microsoft fixed this flaw in January 2022. However, bad actors can still exploit it using validly signed binary files not added to the UEFI revocation list.

The bootkit can disable many advanced security features at the OS level, such as BitLocker, HVCI, and Windows Defender. Smolár notes that once installed, the malware's primary goal is to deploy a kernel driver, which protects the bootkit from removal. Then an HTTP downloader contacts the command&control server for further instructions or additional user-mode or kernel-mode malicious payloads.

According to Smolár, the BlackLotus offer discovered on hacker forums is genuine. The malware is as capable as the original seller said, and we don't know who created it yet. So far, the most telling evidence about its origins is that some BlackLotus installers do not proceed with bootkit installation on systems located in Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.

Smolár points out that UEFI bootkits are "very powerful threats" because they control the OS boot process and disable various OS security mechanisms to deploy malicious payloads invisibly during startup. BlackLotus is the first instance of a genuinely all-powerful UEFI bookit discovered in the wild. It likely won't be the last since a proof-of-concept to exploit CVE-2022-21894 is already available on GitHub.

12 comments 62 likes and shares

Tech Jobs: Find the next step in your career

Related Stories

Featured on TechSpot