[German]Security researchers from ESET have discovered a malware in the wild that hijacks the UEFI and has been christened BlackLotus. BlackLotus is believed to be the first UEFI bootkit malware in the wild that can bypass Secure Boot on Windows 11. Malware can then also disable Defender or Bitlocker and HVCI in Windows. So much for the highly praised security with UEFI, Secure Boot & Co. under Windows 10/11.
Advertising
I just came across this issue on Twitter – ESET, for example, addressed it in this tweet as well as in this blog post.
Bypassing Secure Boot
ESET's security researchers have discovered a so-called bootkit that can be integrated into malware. This bootkit is able to bypass essential security features of UEFI Secure Boot. This security system is propagated by Microsoft and propagated by Windows 10 or Windows 11 and is now even required for certification. Even a fully up-to-date Windows 11 system with Secure Boot enabled poses no problem for the malware, the ESET authors write.
Based on the functionality of the bootkit and its individual features, the European IT security vendor's experts assume that it is a threat known as BlackLotus. The UEFI bootkit has been sold on hacker forums for $5,000 since October 2022.
First hints in 2022
"We got our first clues from hits in our telemetry in late 2022, which turned out to be a component of BlackLotus – an HTTP downloader. After an initial analysis, we discovered code patterns of six BlackLotus installers in the samples of those found. This allowed us to examine the entire execution chain and realize that we are not just dealing with normal malware here," said Martin Smolár, the ESET researcher who led the investigation of the bootkit.
Vulnerability is exploited
BlackLotus exploits a security vulnerability (CVE-2022-21894) that is more than a year old to bypass UEFI Secure Boot and permanently embed itself in the computer. This is the first known exploit of this vulnerability in the wild.
Advertising
Although the vulnerability was fixed with Microsoft's January 2022 update, its exploitation is still possible. The reason for this is that the affected, validly signed binaries have still not been added to the UEFI lock list. BlackLotus exploits this by putting its own copies of legitimate – but vulnerable – binaries on the system.
Wide range of possibilities
BlackLotus is capable of disabling operating system security mechanisms such as BitLocker, HVCI and Windows Defender. Once installed, the main goal of the malware is to install a kernel driver (which it protects from removal, among other things) and an HTTP downloader. The latter is responsible for communicating with the command-and-control server and can load additional payloads for user mode or kernel mode. Interestingly, some of the BlackLotus installers do not proceed with the bootkit installation if the compromised machine uses locales from Armenia, Belarus, Kazakhstan, Moldova, Russia or Ukraine.
BlackLotus has been advertised and sold on underground forums since at least early October 2022. "We have evidence that the bootkit is real and the advertising of it is not a scam," Smolár says. "The small number of BlackLotus samples we have received from both public sources and our telemetry leads us to believe that not many hackers have started using it yet. We fear that this will change quickly if this bootkit gets into the hands of crimeware groups. This is because it is easy to distribute and can be spread by these groups via botnets, for example." Details can be read in this ESET post.
What is a Bootkit?
UEFI bootkits are software modules that can manipulate the boot processes in UEFI and bypass security features. They pose a very powerful threat to Windows machines (works with Linux too, but Secure Boot targets Windows). Once the malware has gained full control over the operating system boot process, malicious routines can disable various operating system security mechanisms and introduce their own malicious programs in kernel or user mode in the early boot stages. Thus, they operate stealthily and with high privileges.
So far, only a few bootkits have been discovered in the wild and described publicly. Compared to firmware implants – such as LoJax, the first UEFI firmware implant in the wild discovered by ESET in 2018 – UEFI bootkits can lose their stealth because bootkits reside on an easily accessible FAT32 disk partition.
However, when run as a boot loader, they have almost the same capabilities without having to overcome multiple layers of security that protect against firmware implants. "The best tip is to keep the system and its security solution up to date. This way, you increase the chance that a potential threat will be stopped at the beginning, before it infiltrates the operating system," Smolár concludes.
What is UEFI?
UEFI stands for "Unified Extensible Firmware Interface" and describes the firmware of the motherboard. This is the interface between hardware and software during the boot process. An essential function of UEFI is that Secure Boot the computer. This is to prevent malware from getting onto the device. This is why bypassing this security feature is so dangerous.
