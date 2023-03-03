A bootkits “invisible to radars” (i.e. to antiviruses) due to the Unified Extensible Firmware Interface (UEFI) called Black Lotus became the first publicly known malware capable of bypassing the defenses of the Windows 11 Secure Bootmaking it a potent threat in the cyber landscape.

BlackLotus: when safe boot, perhaps, is not enough

“This bootkit can also work on fully updated Windows 11 systems with UEFI Secure Boot enabled“, has declared Slovak cybersecurity company ESET in a report.

UEFI bootkits are implemented in system firmware and therefore allow full control over the boot process of the operating systemthus allowing you to disable OS-level security mechanisms and deploy arbitrary payloads when booting with elevated privileges (like administrator privilege, for example).

Offered for sale for $5,000 (and $200 for each subsequent new version), the powerful and toolkit is programmed in assembly And c and is 80 kilobytes in size; also has the ability to geofencing to avoid infecting computers and other devices in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia and Ukraine.

The details about BlackLotus They emerged for the first time in October 2022, with Kaspersky security researcher Sergey Lozhkin describing it as a sophisticated crimeware solution.

“This represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the form of persistence, evasion and/or destruction“, has said Scott Scheferman of Eclypsium.

Basically, BlackLotus exploits a security vulnerability referred to as CVE-2022-21894 (also known as Baton Drop) to bypass UEFI Secure Boot protections and create a persistent attack; The vulnerability was fixed by Microsoft as part of the January 2022 Patch Tuesday update.

An exploitation of the vulnerability in question, according to ESET, allows the execution of malicious code during the early stages of boot, allowing an attacker to perform malicious actions on a system with UEFI Secure Boot enabled without having physical access to it.

“This is the first publicly known abuse of this vulnerability“, said ESET researcher Martin Smolár. “Its exploitation is still possible since the affected and validly signed binaries have not yet been added to the list of UEFI revocations“.

“BlackLotus takes advantage of this, bringing its own copies of legitimate, but vulnerable binaries to the system to exploit the vulnerability“, effectively paving the way for attacks Bring Your Own Vulnerable Driver (BYOVD).

In addition to being able to disable security mechanisms such as BitLocker, HVC extension (Hypervisor-protected Code Integrity) and even Windows Defender, BlackLotus is also designed to release a kernel driver and HTTP downloader that communicates with a command-and-control (C2) server to fetch additional user-mode or kernel-mode malware.

Exactly how this program used to distribute the bootkit works is still unknown, but what we do know is that it starts with an installer component responsible for writing files to the EFI systemdisabling HVCI and BitLocker and then restarting the host.

The reboot is followed by “upgrading” the CVE-2022-21894 vulnerability to achieve persistence and install the bootkit, after which it automatically runs on every system boot to install and then deploy the kernel driver.

While the driver is responsible for launching the user-mode HTTP downloader and executing the next-stage kernel-mode payloads, the latter is capable of executing commands received from the C2 server over HTTPS.

This means that it downloads and runs a kernel driver, DLL, or regular executable (.exe), and maybe an .msi file as well; BlackLotus would be able to fetch bootkit updates and even uninstall the bootkit from the infected system.

“In recent years, many critical vulnerabilities have been discovered affecting the security of UEFI systems“, said Smolár. “Unfortunately, due to the complexity of the entire UEFI ecosystem and related issues with the supply-chanmany of these vulnerabilities have left many systems vulnerable even long after the vulnerabilities have been fixed, or at least after we were told they were fixed“.

He then concluded by arguing: “It was only a matter of time before someone took advantage of these failures and created a UEFI bootkit capable of running on systems with UEFI Secure Boot enabled.“