BlackLotus malware can bypass safe boot • The Register
BlackLotus, a UEFI bootkit that is offered on hacking boards for about $5,000, can now bypass Safe Boot, making it the primary identified malware to run on Home windows methods even with the firmware safety function enabled.
Safe Boot is meant to stop gadgets from working unauthorized software program on Microsoft machines. However by concentrating on UEFI the BlackLotus malware hundreds earlier than anything within the booting course of, together with the working system and any safety instruments that might cease it.
Kaspersky’s lead safety researcher Sergey Lozhkin first saw BlackLotus being offered on cybercrime marketplaces again in October 2022 and safety specialists have been taking aside piece by piece ever since.
In research revealed at present, ESET malware analyst Martin Smolár, says the parable of an in-the-wild bootkit bypassing safe boot “is now a actuality,” versus the same old slew of pretend advertisements by criminals trying to rip-off their fellow miscreants.
The newest malware “is able to working on even fully-up-to-date Home windows 11 methods with UEFI Safe Boot enabled,” he added.
BlackLotus exploits a greater than one-year-old vulnerability, CVE-2022-21894, to bypass the safe boot course of and set up persistence. Microsoft fixed this CVE in January 2022, however miscreants can nonetheless exploit it as a result of the affected signed binaries haven’t been added to the UEFI revocation list, Smolár famous.
“BlackLotus takes benefit of this, bringing its personal copies of reliable – however susceptible – binaries to the system so as to exploit the vulnerability,” he wrote.
Plus, a proof-of-concept exploit for this vulnerability has been publicly accessible since August 2022, so count on to see extra cybercriminals utilizing this challenge for illicit functions quickly.
Making it much more troublesome to detect: BlackLotus can disable a number of OS safety instruments together with BitLocker, Hypervisor-protected Code Integrity (HVCI) and Home windows Defender, and bypass Consumer Account Management (UAC), in accordance with the safety store.
And whereas the researchers do not attribute the malware to a specific gang or nation-state group, they do notice that the BlackLotus installers they analyzed will not proceed if the compromised pc is situated in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.
As soon as BlackLotus exploits CVE-2022-21894 and turns off the system’s safety instruments, it deploys a kernel driver and an HTTP downloader. The kernel driver, amongst different issues, protects the bootkit information from removing, whereas the HTTP downloader communicates with the command-and-control server and executes payloads.
The bootkit analysis follows UEFI vulnerabilities in Lenovo laptops that ESET found final spring, which, amongst different issues, permit attackers to disable safe boot.
“It was only a matter of time earlier than somebody would make the most of these failures and create a UEFI bootkit able to working on methods with UEFI Safe Boot enabled,” Smolár wrote. ®