According to ESET, even the new Windows 11 with its UEFI Secure Boot security system is not safe from the "BlackLotus" boot kit. The bootkit is already active in the wild and is also actively offered in hacker forums.
Red alert for Windows users: ESET researchers have identified a bootkit that is able to bypass key security features of UEFI Secure Boot - a security system in Windows. Even a completely up-to-date Windows 11 system with activated Secure Boot does not pose a problem for the malicious program. Based on the functionality of the boot kit and its individual characteristics, the experts at the European IT security manufacturer assume that the threat known as BlackLotus is involved . The UEFI boot kit has been sold for $2022 on hacker forums since October 5.000.
Also updated Windows 11 not sure
“We received the first clues from hits in our telemetry at the end of 2022. These turned out to be a component of BlackLotus – an HTTP downloader. After an initial analysis, we found six BlackLotus installers found code patterns in the samples. This allowed us to examine the entire execution chain and see that we are not just dealing with regular malware here,” says Martin Smolár, the ESET researcher who led the bootkit investigation.
Vulnerability is exploited
BlackLotus exploits a vulnerability (CVE-2022-21894) that is more than a year old to bypass UEFI Secure Boot and permanently implant itself in the computer. This is the first known exploit of this vulnerability in the wild. Although the vulnerability was fixed with the Microsoft January 2022 update, its abuse is still possible. This is because the affected, validly signed binaries have still not been added to the UEFI block list. BlackLotus exploits this by bringing its own copies of legitimate - but more vulnerable - binaries onto the system.
Wide range of possibilities
BlackLotus is able to disable operating system security mechanisms such as BitLocker, HVCI and Windows Defender. Once installed, the malware's main goal is to install a kernel driver (which it protects from removal, among other things) and an HTTP downloader. The latter is responsible for communicating with the command and control server and can load additional payloads for user mode or kernel mode. Interestingly, some BlackLotus installers do not proceed with the bootkit installation if the compromised machine uses locales from Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine.
BlackLotus has been promoted and sold on underground forums since at least early October 2022. "We have evidence that the boot kit is genuine and that the advertisement for it is not a scam," says Smolár. "The small number of BlackLotus samples we've received from both public sources and our telemetry leads us to suspect that not many hackers have started using it yet. We fear that this will change quickly should this bootkit find its way into the hands of crimeware groups. Because it is easy to distribute and can be spread by these groups via botnets, for example.”
What is a boot kit?
UEFI bootkits are very powerful threats to any computer. Once they gain full control over the operating system boot process, they can disable various operating system security mechanisms and inject their own kernel- or user-mode malicious programs in the early stages of boot. As a result, they operate in secret and with high privileges. To date, only a few boot kits have been discovered in the wild and publicly described. Compared to firmware implants — like LoJax, the first UEFI firmware implant in the wild and discovered by ESET in 2018 — UEFI bootkits can lose their stealth as bootkits reside on an easily accessible FAT32 hard drive partition. However, when run as a bootloader, they have almost the same capabilities without having to overcome multiple layers of security that protect against firmware implants. “The best tip is to keep the system and its security solution up to date. This increases the chance that a potential threat will be stopped early on, before it infiltrates the operating system,” concludes Smolár.
What is UEFI?
UEFI stands for "Unified Extensible Firmware Interface" and describes the firmware of the mainboard. This in turn forms the interface between hardware and software during the boot process. An essential function of the UEFI is that the computer can start up in Secure Boot. This is to prevent malware from getting onto the device. That's why bypassing this security feature is so dangerous.
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.