ESET discovers BlackLotus bootkit that can bypass Secure Boot

Spread the love

Security company ESET has discovered a so-called uefi bootkit that makes it possible to bypass Secure Boot, even on modern Windows 11 systems. The BlackLotus bootkit uses a vulnerability that has been patched, but some binaries have not yet been committed.

ESET confirmed in a survey the existence of the boot kit, which is called BlackLotus. There were rumors last year that such malware was being sold on forums, but now ESET says it has also found and investigated the bootkit. BlackLotus is being sold on the dark web for $5,000.

The bootkit makes it possible to bypass Secure Boot in PC’s uefi. According to ESET, few vulnerabilities are required for this; you can do that even on a fully updated Windows 11 PC. The bootkit exploits a vulnerability that is now more than a year old, CVE-2022-21894a vulnerability that is also known as Baton Drop is called. Microsoft fixed that bug in January of 2022, but according to ESET, the BlackLotus bootkit can still exploit the vulnerability.

This is possible because not all affected binaries have yet been updated to the official uefi-revocation-list have been added. This allows BlackLotus to add its own binaries to the uefi, making them look like legitimate binaries. They are therefore not stopped by Secure Boot.

According to ESET, the bootkit can even gain persistence. If the binaries load successfully, the bootkit installs a kernel driver that establishes a connection to a command-and-control server. The bootkit can also disable other Windows security components, including Bitlocker, Windows Defender, and HVCI.

The bootkit is sold on forums, but it is not yet known how large the distribution is and what kind of targets the bootkit will be used against. There are some geofences in the installers; the bootkit will not install if the PC is set up as Romanian, Russian, Ukrainian, Belarusian, Armenian, and Kazakh.

You might also like
Exit mobile version