A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus became the first known malware capable of bypassing Secure Boot defenses, making it a powerful threat in the cyber environment.
“This bootkit can even run on fully modern Windows 11 systems with UEFI Secure Boot enabled,” said Slovak cybersecurity firm ESET in a report shared with The Hacker News.
UEFI bootkits are deployed in the system firmware and allow full control over the operating system (OS) boot process, enabling the overriding of OS-level security mechanisms and the ability to deploy arbitrary payloads with elevated privileges at boot time.
Priced at $5,000 (plus $200 for each subsequent new version), this powerful, permanent toolkit is programmed in assembly and C and is 80 kilobytes in size. It also has geofencing capabilities to prevent infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.
Details about BlackLotus first surfaced in October 2022, when Kaspersky security researcher Sergey Lozhkin described BlackLotus as a sophisticated crimeware solution.
Scott Scheferman of Eclypsium said, “This is a little bit more in terms of usability, scalability, accessibility, and most importantly the potential for greater impact in the form of persistence, evasion, and/or destruction. It means “leap”.
In a nutshell, BlackLotus exploits a security flaw tracked as CVE-2022-21894 (aka Baton Drop) to bypass UEFI Secure Boot protections and set persistence. This vulnerability has been resolved by Microsoft as part of the January 2022 Patch Monthly Update.
Successful exploitation of this vulnerability may allow arbitrary code execution during the early boot phase, allowing an attacker to perform malicious actions on systems with UEFI Secure Boot enabled without physical access. ESET says that it will allow you to perform certain actions.
ESET researcher Martin Smolár said: “Affected validly signed binaries have not yet been added to the UEFI revocation list and are therefore potentially exploitable.”
“BlackLotus takes advantage of this by bringing its own copy of a legitimate but vulnerable binary onto the system in order to exploit the vulnerability,” effectively paves the way for Bring Your Own Vulnerable Driver (BYOVD) attacks. open
It has the ability to turn off security mechanisms such as BitLocker, Hypervisor-protected Code Integrity (HVCI) and Windows Defender, as well as drop kernel drivers and HTTP downloaders that communicate with command and control (C2) servers. Designed. Get additional user-mode or kernel-mode malware.
The exact technique used to deploy the bootkit is still unknown, but it starts with the installer components responsible for writing files to the EFI system partition, disabling HVCI and BitLocker, and rebooting the host.
Following the reboot, CVE-2022-21894 is weaponized, persistence is achieved, and a bootkit is installed. It will then automatically run every time the system boots to deploy the kernel driver.
The driver is responsible for launching a user-mode HTTP downloader and executing the next stage kernel-mode payload, the latter being able to execute commands received from the C2 server over HTTPS.
This includes downloading and running kernel drivers, DLLs, or regular executables. It even gets bootkit updates and uninstalls bootkits from infected systems.
“In the last few years, many critical vulnerabilities have been discovered that affect the security of UEFI systems,” said Smolár. “Unfortunately, due to the complexity of the entire UEFI ecosystem and the associated supply chain issues, many of these vulnerabilities have prevented many systems from working since the vulnerabilities were fixed, or at least even after they were reportedly fixed. It leaves us vulnerable.”
“It was only a matter of time before someone took advantage of these failures to create a UEFI bootkit that would work on systems with UEFI Secure Boot enabled.”
