ESET's analysis of the malware has shown that the BlackLotus bootkit may circumvent security safeguards on fully updated Windows 11 PCs and permanently infect them.
BlackLotus is a brand-new threat actor that first appeared on darknet forums in October 2022. For $5,000, it gives advanced persistent threat (APT) actors like cybercriminals access to capabilities that were once only available to nation-states.
The main danger posed by UEFI bootkits is well-known. By controlling the operating system's boot process, they can disable security safeguards and introduce kernel- or user-mode payloads while the machine is booting up, acting covertly and with elevated privileges.
ESET, which discovered BlackLotus for the first time in late 2022, has so far located six installers, allowing it to thoroughly examine the threat's execution chain and pinpoint the malware's primary capabilities.
BlackLotus has a wide range of evasion capabilities, including anti-debugging, anti-virtualization, and code obfuscation, as evidenced by early reports. It can also disable security measures like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender.
There is little that can be done to protect systems from attacks, even if the most recent patches have been installed, especially with proof-of-concept (PoC) exploit code being publicly available since August 2022, according to ESET, as the bootkit exploits a year-old vulnerability in Windows (tracked as CVE-2022-21894) to disable secure boot.
"Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability,” ESET stated.
When BlackLotus is run on the machine, it installs a kernel driver to prevent removal, sets up the user-mode component, runs kernel payloads, and removes the bootkit. By safeguarding handles for the bootkit's files on the EFI System Partition and causing a Blue Screen Of Death if these handles are closed, removal is avoided.
Command-and-control (C&C) communication through HTTPS, command execution, and payload delivery are all handled by the user-mode component, an HTTP downloader. Under the context of the winlogon.exe process, the downloader is run by the SYSTEM account.
BlackLotus installers have been found both offline and online, and a typical attack begins with an installer distributing bootkit files to the ESP, turning off system safeguards, and rebooting the device.
Following the enrolment of the attackers' Machine Owner Key (MOK) to the MokList variable for persistence, CVE-2022-21894 is exploited to deactivate secure boot. The self-signed UEFI bootkit is used to deliver the kernel driver and user-mode payload on subsequent reboots (the HTTP downloader).
Additionally, the bootkit was found by ESET to rename the genuine Windows Boot Manager binary before replacing it. When the bootkit is told to remove itself, the renamed binary is used to start the operating system or to bring back the initial boot sequence.
Although BlackLotus is covert and equipped with a number of anti-removal safeguards, ESET thinks they have uncovered a flaw in the way the HTTP downloader transmits instructions to the kernel driver that would allow users to uninstall the bootkit.
According to ESET, "in the event that the HTTP downloader wishes to send a command to the kernel driver, it merely creates a named section, writes a command with associated data inside, and waits for the command to be processed by the driver by creating a named event and waiting until the driver triggers (or signals) it."
The kernel driver can be tricked into completely uninstalling the bootkit by creating the aforementioned named objects and sending the uninstall command. The kernel driver supports install and uninstall commands.
The bootkit would still be present on infected devices even though upgrading the UEFI revocation list would lessen the threat posed by BlackLotus. A new Windows installation and the deletion of the attackers' enrolled MOK key would be necessary in order to clear them.
"The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. But until the revocation of the vulnerable bootloaders that BlackLotus depends on happens, we are concerned that things will change rapidly should this bootkit get into the hands of the well-known crimeware groups,” ESET concluded.