Wide range of possibilitiesīlackLotus is capable of disabling operating system security mechanisms such as BitLocker, HVCI and Windows Defender. BlackLotus exploits this by putting its own copies of legitimate – but vulnerable – binaries on the system. The reason for this is that the affected, validly signed binaries have still not been added to the UEFI lock list. This is the first known exploit of this vulnerability in the wild.Īlthough the vulnerability was fixed with Microsoft's January 2022 update, its exploitation is still possible. Vulnerability is exploitedīlackLotus exploits a security vulnerability (CVE-2022-21894) that is more than a year old to bypass UEFI Secure Boot and permanently embed itself in the computer. This allowed us to examine the entire execution chain and realize that we are not just dealing with normal malware here," said Martin Smolár, the ESET researcher who led the investigation of the bootkit. After an initial analysis, we discovered code patterns of six BlackLotus installers in the samples of those found. "We got our first clues from hits in our telemetry in late 2022, which turned out to be a component of BlackLotus – an HTTP downloader.
The UEFI bootkit has been sold on hacker forums for $5,000 since October 2022.
Even a fully up-to-date Windows 11 system with Secure Boot enabled poses no problem for the malware, the ESET authors write.īased on the functionality of the bootkit and its individual features, the European IT security vendor's experts assume that it is a threat known as BlackLotus. This security system is propagated by Microsoft and propagated by Windows 10 or Windows 11 and is now even required for certification. This bootkit is able to bypass essential security features of UEFI Secure Boot. Bypassing Secure BootĮSET's security researchers have discovered a so-called bootkit that can be integrated into malware. I just came across this issue on Twitter – ESET, for example, addressed it in this tweet as well as in this blog post.
0 kommentar(er)
