A stealthy Unified Extensible Firmware Interface (UEFI) bootkit referred to as BlackLotus has change into the primary publicly recognized malware able to bypassing Secure Boot defenses, making it a potent risk within the cyber panorama.
“This bootkit can run even on absolutely up-to-date Windows 11 programs with UEFI Secure Boot enabled,” Slovak cybersecurity firm ESET stated in a report shared with The Hacker News.
UEFI bootkits are deployed within the system firmware and permit full management over the working system (OS) boot course of, thereby making it potential to disable OS-level safety mechanisms and deploy arbitrary payloads throughout startup with excessive privileges.
Offered on the market at $5,000 (and $200 per new subsequent model), the highly effective and chronic toolkit is programmed in Assembly and C and is 80 kilobytes in dimension. It additionally options geofencing capabilities to keep away from infecting computer systems in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.
Details about BlackLotus first emerged in October 2022, with Kaspersky safety researcher Sergey Lozhkin describing it as a classy crimeware answer.
“This represents a little bit of a ‘leap’ ahead, by way of ease of use, scalability, accessibility, and most significantly, the potential for way more impression within the types of persistence, evasion, and/or destruction,” Eclypsium’s Scott Scheferman famous.
BlackLotus, in a nutshell, exploits a safety flaw tracked as CVE-2022-21894 (aka Baton Drop) to get round UEFI Secure Boot protections and arrange persistence. The vulnerability was addressed by Microsoft as a part of its January 2022 Patch Tuesday replace.
A profitable exploitation of the vulnerability, in line with ESET, permits arbitrary code execution throughout early boot phases, allowing a risk actor to hold out malicious actions on a system with UEFI Secure Boot enabled with out having bodily entry to it.
“This is the primary publicly recognized, in-the-wild abuse of this vulnerability,” ESET researcher Martin Smolár stated. “Its exploitation remains to be potential because the affected, validly signed binaries have nonetheless not been added to the UEFI revocation listing.”
“BlackLotus takes benefit of this, bringing its personal copies of reliable – however susceptible – binaries to the system to be able to exploit the vulnerability,” successfully paving the way in which for Bring Your Own Vulnerable Driver (BYOVD) assaults.
Besides being geared up to show off safety mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender, it is also engineered to drop a kernel driver and an HTTP downloader that communicates with a command-and-control (C2) server to retrieve further user-mode or kernel-mode malware.
The actual modus operandi used to deploy the bootkit is unknown as but, but it surely begins with an installer part that is liable for writing the recordsdata to the EFI system partition, disabling HVCI and BitLocker, after which rebooting the host.
The restart is adopted by the weaponization of CVE-2022-21894 to attain persistence and set up the bootkit, after which it’s robotically executed on each system begin to deploy the kernel driver.
While the driving force is tasked with launching the user-mode HTTP downloader and working next-stage kernel-mode payloads, the latter is able to executing instructions acquired from the C2 server over HTTPS.
This consists of downloading and executing a kernel driver, DLL, or a daily executable; fetching bootkit updates, and even uninstalling the bootkit from the contaminated system.
“Many important vulnerabilities affecting safety of UEFI programs have been found in the previous couple of years,” Smolár stated. “Unfortunately, due the complexity of the entire UEFI ecosystem and associated supply-chain issues, many of those vulnerabilities have left many programs susceptible even a very long time after the vulnerabilities have been fastened – or no less than after we had been informed they had been fastened.”
“It was only a matter of time earlier than somebody would reap the benefits of these failures and create a UEFI bootkit able to working on programs with UEFI Secure Boot enabled.”