A Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus is found to be capable of bypassing an essential platform security feature, UEFI Secure Boot, according to researchers from Slovakia-based cybersecurity firm ESET.

BlackLotus uses an old vulnerability and can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled, the researchers found.

UEFI Secure Boot is a feature of the UEFI firmware, which is a successor to the traditional BIOS (Basic Input/Output System) firmware found on older computers. Secure Boot is designed to ensure that the system boots only with trusted software and firmware. Bootkit on the other hand is a malware that infects the boot process of a computer.

BlackLotus has been advertised and sold on underground forums for $5,000 since at least early October 2022, ESET said in a press statement.

“We can now present evidence that the bootkit is real, and the advertisement is not merely a scam,” Martin Smolár, the ESET researcher who led the investigation into the bootkit, said in the press statement.

BlackLotus uses old vulnerability

BlackLotus takes advantage of a vulnerability that has been present for over a year (known as CVE-2022-21894) to bypass UEFI Secure Boot and establish persistence for the bootkit. This represents the initial instance of this vulnerability being publicly exploited in a real-world situation.

Despite Microsoft releasing a fix for the vulnerability in January 2022, BlackLotus is capable of exploiting it and enabling attackers to disable security measures of the operating system, including BitLocker, HVCI, and Windows Defender.

The bootkit has been able to still exploit the vulnerability post January fix because the validly signed binaries have still not been added to the UEFI revocation list, the mechanism to revoke the digital certificates of UEFI drivers.

Due to the complexity of the whole UEFI ecosystem and related supply-chain problems, many of the UEFI vulnerabilities have left systems vulnerable even a long time after the vulnerabilities have been fixed, according to ESET.

Bootkit deploys payload with kernel hack

The primary objective of BlackLotus, after it has been installed, is to initiate the deployment of a kernel driver, which serves to safeguard the bootkit against any attempts to eliminate it. It also deploys an HTTP downloader that enables communication with the Command and Control server and has the ability to load further user-mode or kernel-mode payloads.

“Our investigation started with a few hits on what turned out to be (with a high level of confidence) the BlackLotus user-mode component — an HTTP downloader — in our telemetry late in 2022,” Smolár said. “After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware.”

Certain BlackLotus installation packages, as analyzed by ESET, refrain from carrying out the installation of the bootkit in case the affected host employs regional settings associated with Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine.

“The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet,” Smolar said. “We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”

The ESET research team recommends keeping systems and its security products up to date to raise the chance that a threat will be stopped right at the beginning, before it’s able to achieve pre-OS persistence.