HomeTECHNOLOGYBlackLotus UEFI bootkit can defeat Secure Boot protection

BlackLotus UEFI bootkit can defeat Secure Boot protection


Related stories

Explore 101Desires.com for the Pinnacle of Technical Updates

Unlock the full potential of Google Workspace with 101Desires.com...

TrendzGuruji.me Cyber: Empowering Your Digital Fortress for Unbeatable Cyber Resilience in 2024

TrendzGuruji.me Cyber is a fast-growing platform that's changing the...

Terry Lee Flenory Age, Life, and Other Interesting Facts (2023)

Detroit, Michigan native Terry Lee Flenory is a successful...

The SWGoH Web Store: Your Path to Galactic Domination (Updated 2023)

Star Wars: Galaxy of Heroes, also known as SWGoH,...

Emma Argues with Principal Figgins: A Clash of Wills

Introduction Emma had always been a diligent student, dedicated to...


Why it matters: Discovered in October 2022, BlackLotus is a powerful UEFI-compatible bootkit sold on underground marketplaces at $5,000 per license. The malware provides impressive capabilities, and a new analysis now confirms security experts’ worst fears.

BlackLotus is a potent threat against modern firmware-based computer security. This UEFI bootkit provides offensive capabilities previously available only to advanced-persistent threats (APT) and state-sponsored groups to script kiddies and any paying “customer.” Kaspersky researchers discovered and dissected the malware in 2022 and found a very compact mixture of Assembly and C code.

A new report by ESET analyst Martin Smolár now confirms one of the most outstanding and dangerous capabilities of the malware: BlackLotus is the first “in-the-wild” UEFI bootkit to compromise a system even when the Secure Boot feature is correctly enabled. Smolár says it’s a malicious kit that can run on fully updated UEFI systems.

BlackLotus can also do its dirty deeds on a fully updated Windows 11 system. The Slovak security enterprise says the malware is the first publicly known threat designed to abuse the CVE-2022-21894 “Secure Boot Security Feature Bypass Vulnerability.” Microsoft fixed this flaw in January 2022. However, bad actors can still exploit it using validly signed binary files not added to the UEFI revocation list.

The bootkit can disable many advanced security features at the OS level, such as BitLocker, HVCI, and Windows Defender. Smolár notes that once installed, the malware’s primary goal is to deploy a kernel driver, which protects the bootkit from removal. Then an HTTP downloader contacts the command&control server for further instructions or additional user-mode or kernel-mode malicious payloads.

According to Smolár, the BlackLotus offer discovered on hacker forums is genuine. The malware is as capable as the original seller said, and we don’t know who created it yet. So far, the most telling evidence about its origins is that some BlackLotus installers do not proceed with bootkit installation on systems located in Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.

Smolár points out that UEFI bootkits are “very powerful threats” because they control the OS boot process and disable various OS security mechanisms to deploy malicious payloads invisibly during startup. BlackLotus is the first instance of a genuinely all-powerful UEFI bookit discovered in the wild. It likely won’t be the last since a proof-of-concept to exploit CVE-2022-21894 is already available on GitHub.


Source link


- Never miss a story with notifications

- Gain full access to our premium content

- Browse free from up to 5 devices at once

Latest stories