The developers of the BlackLotus UEFI bootkit have improved the malware with Secure Boot bypass capabilities that allow it to infected even fully patched Windows 11 systems.
BlackLotus is the first public example of UEFI malware that can avoid the Secure Boot mechanism, thus being able to disable security protections that come with the operating system.
The malware could be used to impair the BitLocker data protection feature, the Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity (HVCI) – also known as the Memory Integrity feature that protects against attempts to exploit the Windows Kernel.
The Unified Extensible Firmware Interface (UEFI) is the software that connects the operating system with the hardware that runs it.
It is low-level code that executes when the computer powers up and dictates the booting sequence before the operating system starts any of its routines.
BlackLotus commodity bootkit
The BlackLotus UEFI malware emerged last year promoted on hacking forums with a feature set that makes it virtually invisible to antivirus agents installed on the compromised host.
The advertiser said that the malware takes only 80kb after installation and the cost of a license was $5,000, although rebuilds were available for just $200.
In a report this week, security researchers at ESET confirmed that the malware functions exactly as advertised and it can bypass the Secure Boot mechanism by leveraging a vulnerability from last year tracked as CVE-2022-21894.
More information about why the security updates for CVE-2022-21894 don’t block this malware is available below.
Their investigation started from an HTTP downloader that turned out to be the BlackLotus UEFI bootkit user-mode component, which communicates with the command and control (C2) server and can load other payloads (user/kernel-mode).
BlackLotus infection chain
ESET malware researcher Martin Smolár notes that the attack starts with executing an installer that deploys the bootkit’s files to the EFI system partition, disables the HVCI and BitLocker protections, and reboots the host.
The attacker relies on legitimate binaries vulnerable to CVE-2022-21894 (Windows Hypervisor Loader, Windows Boot Manager, PE binaries) and their custom Boot Configuration Data (BCD).
Persistence on machines with UEFI Secure Boot enabled is achieved after the initial reboot by exploiting CVE-2022-21894 and enrolling the…
Click Here to Read the Full Original Article at BleepingComputer…