BlackLotus UEFI bootkit can break into fully patched Windows 11 PCs

Digital generated image of electronic circuit security padlock made out of numbers on black background.
(Image credit: Getty Images)

Security researchers at ESET have published what they claim to be the first analysis of a UEFI bootkit, BlackLotus, which is capable of exploiting fully patched Windows 11 PCs.

Online advertisements for BlackLotus were first noticed in October 2022, costing around $5,000 (£4,167) and the latest version is the first known toolkit of its kind that has the capability to bypass UEFI Secure Boot.

Black Lotus works by exploiting a vulnerability that’s more than a year old (CVE-2022-21894). It was originally fixed by Microsoft in January 2022 but remains exploitable because validly signed binaries haven’t been added to the UEFI revocation list.

This list is a set of revoked software signatures that were previously approved to run on booting systems.

Usually, such bootkits are stymied by UEFI Secure Boot - a firmware security feature that aims to ensure that only signed software signatures can be loaded during the boot process.

UEFI is low-level software that is gradually replacing BIOS. It’s responsible for starting the PC’s hardware before its operating system (OS) loads.

As a result, it’s a big target for hackers as it allows for total control over what the computer can load, and what security systems it can disable, for example, but exploits for software that runs at this low level are rare.

UEFI malware has been spotted sporadically over the course of the last five years. One example of these types of variants is the Lojax firmware implant.

Lojax is stealthier than typical UEFI bootkits, ESET said, but bootkits like BlackLotus offer nearly the same capabilities without having to break through SPI flash defences or hardware protections like Intel Boot Guard.

In addition to bypassing UEFI Secure Boot, BlackLotus is also capable of disabling security features like BitLocker, hypervisor-protected code integrity (HVCI), and Windows Defender.

When engaged, BlackLotus appears to execute two key processes in every infection chain, said Martin Smolár, malware analyst at ESET, who led the research.

RELATED RESOURCE

The near and far future of ransomware business models

What would make ransomware actors change their criminal business models?

FREE DOWNLOAD

It first aims to install a kernel driver to protect the bootkit from being uninstalled, and then an HTTP downloader to facilitate C2 communication between machine and attacker. This can be used to issue instructions to install additional malicious payloads, for example.

Some BlackLotus installers do not proceed with the installation if they detect the victim’s region to be in specific locales.

These include Moldova (Romanian and Russian regions), Russia, Ukraine, Belarus, Armenia, and Kazakhstan.

“The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet,” said Smolár.

“But until the revocation of the vulnerable bootloaders that BlackLotus depends on happens, we are concerned that things will change rapidly should this bootkit gets into the hands of the well-known crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”

After BlackLotus disables security controls, it establishes persistence on a machine so it can remain after the computer shuts down and re-execute when it boots again.

The individual or team behind the BlackLotus UEFI bootkit also deployed a number of measures to prevent security researchers from analysing the way it works.

Anti-analysis techniques included string and data encryption, resolving Windows APIs exclusively during runtime, using encrypted communication over both the internet and between the C2 server, and anti-debugging tricks.

ESET listed a number of mitigations organisations can take to limit the potential impact of a UEFI bootloader like BlackLotus.

Keeping the OS and all security solutions up to date is important. The key to stopping BlackLoader from establishing a foothold would be to revoke known vulnerable UEFI binaries in the UEFI revocation database.

ESET said this can be a long and difficult process because revoking broadly used Windows UEFI binaries can cause many systems and recovery images to become unbootable.

In cases where BlackLotus has already been installed, the safest method of remediation is to carry out a fresh OS install, ESET said.

Connor Jones
Contributor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.