BlackLotus malware hijacks secure Windows boot process


Microsoft's failure to patch UEFI vulnerabilities discovered in recent years has finally come back to haunt them. The failures haven't gone unnoticed by threat actors, who have used them to create the first-in-the-wild UEFI malware designed to bypass a fully updated UEFI system. The bootkit, known as BlackLotus, was first discovered in late 2022 when it was advertised on the Dark Web forum and sold for $5000, with a possible updated version costing $200. The Unified Extensible Firmware Interface (UEFI) is a low-level and complex chain of firmware responsible for booting every modern computer and, if compromised, could expose the computer system to attack.

The attack pattern of the BlackLotus bootkit, as explained by ESET malware researchers, begins with the execution of an installer that deploys the bootkit file to the EFI system partition, disables HVCI and BitLocker protections, and reboots the host. The installers can work in both offline and online states. The only difference is how they obtain legitimate but vulnerable Windows binaries that are later used to bypass Secure Boot. The offline version has Windows binaries embedded in the installer, while the online version has Windows binaries downloaded directly from the Microsoft symbol store. With an on-disk size of 80kb. The BlackLotus malware includes various anti-VM (anti-virtual machine), anti-debug and obfuscation techniques to make it more difficult to replicate or analyse.

BlackLotus is not the first UEFI malware. Researchers have discovered other UEFI malware, including rootkits or firmware implants, from 2013 to the present. UEFI malware such as the LoJax UEFI Rootkit, Finspy, ESPecter, MoonBounce, MosaicRegressor Rootkit, and the CosmicStrand/Spy Shadow Trojan had features similar to BlackLotus, but none were able to bypass Secure Boot.

Jean-lan Boutin, ESET's director of threat research, said in an email: "The ultimate takeaway is that the BlackLotus UEFI bootkit is able to install itself on a current system using the latest version of Windows with secure boot enabled. Even though the vulnerability is old, it is still possible to use it to bypass all security measures and compromise a system's boot process, giving the attacker control over the early stages of system startup. It also illustrates a trend where attackers are focusing on the EFI System Partition (ESP) rather than the firmware for their implants - sacrificing stealth for ease of deployment, but allowing a similar level of capability".

The number of systems infected with BlackLotus cannot be determined, and the only temporary preventative measure is to ensure that all available OS and application patches have been installed, as this will make it harder for the installer to gain the administrative rights it needs. Microsoft officially wrote in a statement, "This technique (to exploit CVE-2022-21894) requires administrative access for remote attacks or physical access for local attacks. We continue to investigate and will do what is necessary to protect our customers".