IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

BlackLotus UEFI bootkit can break into fully patched Windows 11 PCs

First noticed in October and priced at £4,000, it's the first bootkit of its kind capable of bypassing UEFI Secure Boot

Security researchers at ESET have published what they claim to be the first analysis of a UEFI bootkit, BlackLotus, which is capable of exploiting fully patched Windows 11 PCs.

Online advertisements for BlackLotus were first noticed in October 2022, costing around $5,000 (£4,167) and the latest version is the first known toolkit of its kind that has the capability to bypass UEFI Secure Boot.

Black Lotus works by exploiting a vulnerability that’s more than a year old (CVE-2022-21894). It was originally fixed by Microsoft in January 2022 but remains exploitable because validly signed binaries haven’t been added to the UEFI revocation list. 

This list is a set of revoked software signatures that were previously approved to run on booting systems.

Usually, such bootkits are stymied by UEFI Secure Boot - a firmware security feature that aims to ensure that only signed software signatures can be loaded during the boot process. 

UEFI is low-level software that is gradually replacing BIOS. It’s responsible for starting the PC’s hardware before its operating system (OS) loads.

As a result, it’s a big target for hackers as it allows for total control over what the computer can load, and what security systems it can disable, for example, but exploits for software that runs at this low level are rare.

UEFI malware has been spotted sporadically over the course of the last five years. One example of these types of variants is the Lojax firmware implant

Lojax is stealthier than typical UEFI bootkits, ESET said, but bootkits like BlackLotus offer nearly the same capabilities without having to break through SPI flash defences or hardware protections like Intel Boot Guard.

In addition to bypassing UEFI Secure Boot, BlackLotus is also capable of disabling security features like BitLocker, hypervisor-protected code integrity (HVCI), and Windows Defender.

When engaged, BlackLotus appears to execute two key processes in every infection chain, said Martin Smolár, malware analyst at ESET, who led the research.

Related Resource

The near and far future of ransomware business models

What would make ransomware actors change their criminal business models?

Whitepaper cover with title on red band at bottom below an image of a male wearing a VR headset and glove in front of a computer screenFree Download

It first aims to install a kernel driver to protect the bootkit from being uninstalled, and then an HTTP downloader to facilitate C2 communication between machine and attacker. This can be used to issue instructions to install additional malicious payloads, for example.

Some BlackLotus installers do not proceed with the installation if they detect the victim’s region to be in specific locales. 

These include Moldova (Romanian and Russian regions), Russia, Ukraine, Belarus, Armenia, and Kazakhstan.

“The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet,” said Smolár. 

“But until the revocation of the vulnerable bootloaders that BlackLotus depends on happens, we are concerned that things will change rapidly should this bootkit gets into the hands of the well-known crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”

After BlackLotus disables security controls, it establishes persistence on a machine so it can remain after the computer shuts down and re-execute when it boots again. 

The individual or team behind the BlackLotus UEFI bootkit also deployed a number of measures to prevent security researchers from analysing the way it works. 

Anti-analysis techniques included string and data encryption, resolving Windows APIs exclusively during runtime, using encrypted communication over both the internet and between the C2 server, and anti-debugging tricks.

ESET listed a number of mitigations organisations can take to limit the potential impact of a UEFI bootloader like BlackLotus. 

Keeping the OS and all security solutions up to date is important. The key to stopping BlackLoader from establishing a foothold would be to revoke known vulnerable UEFI binaries in the UEFI revocation database. 

ESET said this can be a long and difficult process because revoking broadly used Windows UEFI binaries can cause many systems and recovery images to become unbootable.

In cases where BlackLotus has already been installed, the safest method of remediation is to carry out a fresh OS install, ESET said.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

HMRC lost nearly 50% more devices in 2022

HMRC lost nearly 50% more devices in 2022

17 Mar 2023
The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Outlook zero day patch causes headaches for Windows admins

Outlook zero day patch causes headaches for Windows admins

15 Mar 2023