What is BlackLotus bootkit?

BlackLotus was first spotted in October 2022. Its seller claimed that the bootkit had a built-in Secure Boot bypass, built-in Ring0/Kernel deletion protection, and also ran in recovery mode and safe mode. The malware is equipped with anti-virtualization, anti-debugging and obfuscation, which complicates its detection and analysis. Also, according to the seller, the security software cannot detect and destroy the bootkit, since it runs under the SYSTEM account inside a legitimate process.

In addition, BlackLotus is able to disable security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypass User Account Control (UAC). The payload has a size of 80 kilobytes, is written in assembler and C, and it can determine the geofence of the victim in order to avoid infecting machines in the CIS countries. Last year, the malware was offered for sale for $5,000, with each new version priced at another $200.

Later, the threat was studied by analysts from ESET. They confirmed that the bootkit easily bypasses Secure Boot and uses the Baton Drop vulnerability (CVE-2022-21894) from a year ago to gain a foothold in the system.

How does the exploit work?

It was highlighted that Microsoft fixed this issue back in January 2022, but attackers can still exploit it because the affected signed binaries were not added to the revocation list. According to analysts, BlackLotus is the first documented case of abuse of this vulnerability.

Later, Microsoft experts, during the analysis of devices compromised with BlackLotus, identified a number of features that make it possible to detect infection and described in detail possible indicators of compromise.

They also discovered that BlackLotus exploits another vulnerability, CVE-2023-24932, which is also related to bypassing Secure Boot protection. Although the bug was fixed in May of this year, this update was disabled by default, and Microsoft required Windows users to perform a very complicated manual installation of this fix.

Since the company warned that installing the patch incorrectly could cause Windows to stop starting and could not be restored even from installation media, many people chose not to install the patches, leaving devices vulnerable to attacks.

BlackLotus UEFI Bootkit Leaked to the GitHub

As Binarly experts now say, the BlackLotus source code was leaked to GitHub by a user under the nickname Yukari. He writes that the source code has been changed and no longer exploits the Baton Drop vulnerability. Instead, BlackLotus uses the bootlicker UEFI rootkit, which is based on the CosmicStrand, MoonBounce, and ESPECTRE UEFI APT rootkits.

He explains that the methods used in the bootkit are no longer new, but leaking the source code would allow attackers to easily combine the bootkit with new vulnerabilities, both known and unknown.

Since the BlackLotus UEFI Bootkit source code is now available to everyone, it is possible that with its help hackers will be able to create more powerful malware that can bypass existing and future measures to counter such threats.

The post Researchers Found BlackLotus UEFI Bootkit Sources on GitHub appeared first on Gridinsoft Blog.

Microsoft has shared a guide to help organizations detect the installation of the BlackLotus UEFI bootkit that exploits the CVE-2022-21894 vulnerability. The company also explained how best to restore an infected system.

Let me remind you that we also wrote that Experts discovered ESPecter UEFI bootkit used for espionage.

Let me remind you that BlackLotus was first seen in October 2022. Its seller claimed that the bootkit had a built-in Secure Boot bypass, built-in Ring0/Kernel deletion protection, and also ran in recovery mode and safe mode.

It was reported that the malware is equipped with anti-virtualization, anti-debugging and obfuscation, which complicates its detection and analysis. Also, according to the seller, the security software cannot detect and destroy the bootkit, since it runs under the SYSTEM account inside a legitimate process.

In addition, BlackLotus is able to disable security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypass User Account Control (UAC).

Black Lotus has a size of 80 kilobytes, is written in assembler and C, and can determine the geofence of the victim in order to avoid infecting machines in the CIS countries. Last year, the malware was offered for sale for $5,000, with each new version priced at another $200.

Later, the threat was studied by analysts from ESET. They confirmed that the bootkit easily bypasses Secure Boot and uses the CVE-2022-21894 vulnerability from a year ago to gain a foothold in the system.

It was highlighted that Microsoft fixed this issue back in January 2022, but attackers can still exploit it because the affected signed binaries were not added to the UEFI revocation list. According to analysts, BlackLotus is the first documented case of abuse of this vulnerability.

As Microsoft experts now say, during the analysis of devices compromised with BlackLotus, they identified a number of features that make it possible to detect infection. The researchers say defenders may be looking for signs of a BlackLotus installation in the following locations:

1. newly created and locked bootloader files;
2. the presence of an intermediate directory used during the installation of BlackLotus, in the EFI System Partition (ESP);
3. changing the Hypervisor-protected Code Integrity (HVCI) registry key;
4. online magazines;
5. boot configuration logs.

Registry changes

Analysts write that BlackLotus blocks files it writes to EFI (ESP), making them inaccessible. However, their names, creation time, and error messages received when trying to access them should indicate the presence of a bootkit, as well as the presence of a custom directory (/system32/) created and not deleted during installation.

Timestamps for BlackLotus Boot Files

Defenders can also detect bootkit-related registry changes, log entries created when BlackLotus disables Microsoft Defender or adds components to the boot loop, and winlogon.exe’s persistent outgoing network connection on port 80, which also indicates an infection.

To clean up a machine previously infected with BlackLotus, experts recommend isolating it from the network, reformatting and installing a clean OS with an EFI partition, or restoring the system from a clean backup with an EFI partition.

To avoid being infected by BlackLotus or other malware that exploits the CVE-2022-21894 vulnerability, Microsoft recommends that organizations be mindful of the principle of least privilege and maintain credential hygiene.

The post Microsoft Told How to Detect the Installation of the BlackLotus UEFI Bootkit appeared first on Gridinsoft Blog.

ESET experts reported that the BlackLotus UEFI bootkit, which is sold on hacker forums for about $ 5,000, is indeed capable of bypassing Secure Boot protection.

According to researchers, the malware poses a threat even to fully updated machines running Windows 11 with UEFI Secure Boot enabled.

Let me remind you that we also wrote that Experts discovered ESPecter UEFI bootkit used for espionage, and also that The expert told how he hacked into a nuclear power plant.

BlackLotus was first spotted in October 2022. Its seller claimed that the bootkit had a built-in Secure Boot bypass, built-in Ring0/Kernel deletion protection, and also ran in recovery mode and safe mode.

In addition, the seller claimed that the malware is equipped with anti-virtualization, anti-debugging and obfuscation, which complicates its detection and analysis. Also, according to his statements, the security software cannot detect and destroy the bootkit, since it runs under the SYSTEM account inside a legitimate process.

In addition, Black Lotus is allegedly capable of disabling security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypassing User Account Control (UAC).

The experts who discovered it wrote that Black Lotus has a size of 80 kilobytes, is written in assembler and C, and can determine the geofence of the victim in order to avoid infecting machines in the CIS countries. The malware is offered for sale for $5,000, and each new version will cost another $200.

Let me remind you that at that time the experts admitted that all the above features of Black Lotus are nothing more than a publicity stunt, and in reality the bootkit is far from being so dangerous. Unfortunately, these assumptions were not confirmed.

As ESET information security experts, who have been studying the malware since last fall, now report, rumors that the bootkit easily bypasses Secure Boot “have now become a reality”. According to them, the malware uses a year-old vulnerability CVE-2022-21894 to bypass Secure Boot and gain a foothold in the system.

Chronology from vulnerability to bootkit

Microsoft fixed this issue back in January 2022, but attackers can still exploit it because the affected signed binaries were not added to the UEFI revocation list. According to analysts, this is the first documented case of abuse of this vulnerability.

Most likely, information security specialists mean attacks like BYOVD – bring your own vulnerable driver.

Even worse, the PoC exploit for this vulnerability has been available since August 2022, so other cybercriminals may soon take advantage of the problem.

The exact way the bootkit is deployed is still unclear, but the attack begins with the installer component, which is responsible for writing files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host.

The researchers say that after exploiting CVE-2022-21894, Black Lotus disables protection mechanisms, deploys a kernel driver and an HTTP loader. The kernel driver, among other things, protects the bootkit files from deletion, while the bootloader communicates with the control server and executes the payload.

While the researchers do not link the malware to any particular hack group or government, they note that the Black Lotus installers they analyzed will not work if the infected computer is located in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

The post BlackLotus UEFI Bootkit Bypasses Protection even in Windows 11 appeared first on Gridinsoft Blog.