Researchers found BlackLotus uses an old vulnerability and can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled. Credit: Solarseven / Getty Images A Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus is found to be capable of bypassing an essential platform security feature, UEFI Secure Boot, according to researchers from Slovakia-based cybersecurity firm ESET.BlackLotus uses an old vulnerability and can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled, the researchers found.UEFI Secure Boot is a feature of the UEFI firmware, which is a successor to the traditional BIOS (Basic Input/Output System) firmware found on older computers. Secure Boot is designed to ensure that the system boots only with trusted software and firmware. Bootkit on the other hand is a malware that infects the boot process of a computer. BlackLotus has been advertised and sold on underground forums for $5,000 since at least early October 2022, ESET said in a press statement. “We can now present evidence that the bootkit is real, and the advertisement is not merely a scam,” Martin Smolár, the ESET researcher who led the investigation into the bootkit, said in the press statement.BlackLotus uses old vulnerabilityBlackLotus takes advantage of a vulnerability that has been present for over a year (known as CVE-2022-21894) to bypass UEFI Secure Boot and establish persistence for the bootkit. This represents the initial instance of this vulnerability being publicly exploited in a real-world situation. Despite Microsoft releasing a fix for the vulnerability in January 2022, BlackLotus is capable of exploiting it and enabling attackers to disable security measures of the operating system, including BitLocker, HVCI, and Windows Defender.The bootkit has been able to still exploit the vulnerability post January fix because the validly signed binaries have still not been added to the UEFI revocation list, the mechanism to revoke the digital certificates of UEFI drivers.Due to the complexity of the whole UEFI ecosystem and related supply-chain problems, many of the UEFI vulnerabilities have left systems vulnerable even a long time after the vulnerabilities have been fixed, according to ESET.Bootkit deploys payload with kernel hackThe primary objective of BlackLotus, after it has been installed, is to initiate the deployment of a kernel driver, which serves to safeguard the bootkit against any attempts to eliminate it. It also deploys an HTTP downloader that enables communication with the Command and Control server and has the ability to load further user-mode or kernel-mode payloads.“Our investigation started with a few hits on what turned out to be (with a high level of confidence) the BlackLotus user-mode component — an HTTP downloader — in our telemetry late in 2022,” Smolár said. “After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware.”Certain BlackLotus installation packages, as analyzed by ESET, refrain from carrying out the installation of the bootkit in case the affected host employs regional settings associated with Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine. “The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet,” Smolar said. “We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”The ESET research team recommends keeping systems and its security products up to date to raise the chance that a threat will be stopped right at the beginning, before it’s able to achieve pre-OS persistence. Related content news Citrix quietly fixes a new critical vulnerability similar to Citrix Bleed Much similar to Citrix-Bleed, the information disclosure bug was identified within NetScaler devices configured as gateway or virtual servers. By Shweta Sharma May 07, 2024 3 mins Vulnerabilities feature What is IAM? Identity and access management explained IAM is a set of processes, policies, and tools for controlling user access to critical information within an organization. By David Strom May 07, 2024 12 mins Identity Management Solutions IT Leadership Security news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 07, 2024 12 mins RSA Conference Security news Google launches Google Threat Intelligence at RSA Conference The new addition to Google Cloud Security is designed to inform security teams on approaches to protecting against external threats, managing attack surfaces, and mitigating digital risks. By Sascha Brodsky May 06, 2024 4 mins RSA Conference Cloud Security Security Software PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe