The cybersecurity analysts at ESET recently reported that BlackLotus, a sneaky bootkit for UEFI (Unified Extensible Firmware Interface), has gained notoriety as the primary malware known to successfully evade Secure Boot defenses, creating it a formidable danger.
Even on the most current Windows 11 systems with UEFI Secure Boot activated, this bootkit has the capability to run seamlessly.
The implementation of UEFI bootkits in system firmware results in the provision of full control over the boot process of the operating system.
By exploiting this flaw, the operating system (OS)-level security mechanisms can be disabled and allow for the installation of arbitrary payloads with high privileges during the startup process.
Since October 2022, the UEFI bootkit has been available for purchase on hacking forums at a price of $5,000. Additionally, new versions of the bootkit are available at $200 each.
With a size of 80 kilobytes, this rugged and tenacious toolkit is programmed using Assembly and C. In addition, the program features geofencing capabilities to ensure that computers are not infected in the following places:-
In October 2022, information regarding BlackLotus was first brought to light. During this time, Sergey Lozhkin, a Kaspersky security researcher, referred to it as a complex crimeware solution.
In essence, BlackLotus leverages a security vulnerability known as CVE-2022-21894 (also referred to as Baton Drop) to bypass UEFI Secure Boot safeguards and establish persistence.
Following successful exploitation of this vulnerability, during the early boot stages, arbitrary code is executable. Subsequently, this enables a malicious actor to execute harmful actions on a system enabled with UEFI Secure Boot without the necessity of physical access.
To date, this is the initial instance of the publicized abuse of this vulnerability in a real-world environment. It is still possible to exploit it as the affected and legitimately signed binaries are yet to be included in the revocation list of UEFI.
BlackLotus exploits this by introducing its versions of legitimate binaries that are susceptible to vulnerability into the system to take advantage of the flaw.
BlackLotus is also designed to install a kernel driver and an HTTP downloader besides having some exceptional capabilities to deactivate security mechanisms such as:-
These components communicate with a command-and-control (C2) server to download additional malware in either:-
There is currently no clear understanding of the precise method used to implement the bootkit. However, it appears to commence with an installer component that takes on the responsibility of composing the files to the EFI system partition.
Following this, the installer component will disable HVCI and BitLocker, and subsequently initiate a reboot of the host. The attackers are also capable of exploiting CVE-2022-21894, exploiting it for persistence and installing the bootkit upon restarting the system.
There are a number of exploits that are implemented within this bootkit which allows the attacker to maintain control over the system by executing the kernel driver automatically upon the start-up of the system.
First, the kernel driver executes the HTTP downloader in user mode, and secondly, it executes the kernel-mode payloads in the second stage, which are all part of the next-stage HTTP download.
The actions performed by the malware are multifaceted and complex. These include downloading and executing various forms of malicious software, such as a kernel driver, DLL, or a standard executable.
Additionally, the malware has the ability to fetch bootkit updates and even uninstall the bootkit from the system that is infected.
Numerous critical vulnerabilities that have the potential to impact the security of UEFI systems have been identified in recent years.
However, due to the intricacies involved in the UEFI ecosystem and related supply-chain issues, many systems have remained vulnerable to these vulnerabilities long after they have been addressed, or at least after we have been informed of their resolution.
As computer systems with UEFI Secure Boot enabled have become increasingly common, it was inevitable that their vulnerabilities would be exploited by malicious actors.
Here below we have mentioned all the mitigations offered by the security analysts:-
Network Security Checklist – Download Free E-Book
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…