Tuesday, March 7, 2023

BlackLotus UEFI bootkit: Myth confirmed


As already mentioned, the bootkit has been sold on underground forums since at least October 6th, 2022. At this point, we have not been able to identify, from our telemetry, the exact distribution channel used to deploy the bootkit to victims. The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet.

The goal of the installer is clear – it’s responsible for disabling Windows security features such as BitLocker disk encryption and HVCI, and for deployment of multiple files, including the malicious bootkit, to the ESP. Once finished, it reboots the compromised machine to let the dropped files do their job – to make sure the self-signed UEFI bootkit will be silently executed on every system start, regardless of UEFI Secure Boot protection status.


Researchers on Wednesday announced a major cybersecurity find—the world’s first-known instance of real-world malware that can hijack a computer’s boot process even when Secure Boot and other advanced protections are enabled and running on fully updated versions of Windows.

Because the UEFI is the first thing to run when a computer is turned on, it influences the OS, security apps, and all other software that follows. These traits make the UEFI the perfect place to launch malware. When successful, UEFI bootkits disable OS security mechanisms and ensure that a computer remains infected with stealthy malware that runs at the kernel mode or user mode, even after the operating system is reinstalled or a hard drive is replaced.

The ultimate takeaway is that UEFI bootkit BlackLotus is able to install itself on up-to-date systems using the latest Windows version with secure boot enabled.  


Once BlackLotus exploits CVE-2022-21894 and turns off the system's security tools, it deploys a kernel driver and an HTTP downloader. The kernel driver, among other things, protects the bootkit files from removal, while the HTTP downloader communicates with the command-and-control server and executes payloads.

And while the researchers don't attribute the malware to a particular gang or nation-state group, they do note that the BlackLotus installers they analyzed won't proceed if the compromised computer is located in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

This is a really tough sort of attack to protect against. If Microsoft deployed the trivial solution (simply flagging the vulnerable boot files as untrustworthy), it may brick every machine with an outdated UEFI. The exploit also uses BatonDrop, discovered by Wack0 back in August.


Windows Boot Applications allow the truncatememory setting to remove blocks of memory containing "persistent" ranges of serialised data from the memory map, leading to Secure Boot bypass. 

The attacker needs to ensure the serialised Secure Boot Policy is allocated above a known physical address.

This issue can be used to dump BitLocker keys (where Secure Boot is used for integrity validation). 

No known vulnerable boot application has been revoked yet. Revocation would cause all existing Windows installation/recovery media, and old backups, to fail to boot.

No comments:

Post a Comment

Thermal vacuum testing for the Europa Clipper

NASA (via YouTube ): We'll be back soon. The spacecraft is currently undergoing vacuum testing. I was a huge fan of the livestream for b...