BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11

Status
Not open for further replies.

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
9,959
A stealthy Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus has become the first publicly known malware capable of bypassing Secure Boot defenses, making it a potent threat in the cyber landscape.

"This bootkit can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled," Slovak cybersecurity company ESET said in a report shared with The Hacker News.
"This is the first publicly known, in-the-wild abuse of this vulnerability," ESET researcher Martin Smolár said. "Its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list."

"BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability," effectively paving the way for Bring Your Own Vulnerable Driver (BYOVD) attacks.

 
F

ForgottenSeer 69673

Oh, so spooky!!!! I see an image of a person wearing a ghost sheet.
Some degenerate thinks they can take the name of my fav flower in vain? May the supranatural forces they cannot comprehend make them poop in their pantihose.:LOL:
 
Last edited by a moderator:
F

ForgottenSeer 98186

Any AV or other security measures to protect from this malware?
This bootkit requires an installer. That means that an installer has to get onto the system and execute. Either it is put onto the system and executed by a user or there is some form of exploit that gets the installer onto a system and it runs. One of the best solutions is default-deny (block execution) such as SRP, WDAC, and similar products.

Once a bootkit is on the system it will be difficult to detect and to remove. So the best protection will prevent the execution of installer or break the exploit or post-exploit run sequence.
 

Gandalf_The_Grey

Level 75
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,439
This bootkit exploit is a year old security boot vulnerability under CVE-2022-21894. Although this vulnerability was already patched last year in January, ESET notes that the exploitation of this is still possible as signed binaries have not yet been added to the UEFI revocation list.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,894
Also, even if it were able to infect your OS, it would be gone on reboot if you are in Shadow Mode.
You should be more concrete in your posts. Most users do not know what it is Shadow Mode, because Shadow Defender is not a popular program. :)(y)
Anyway, it is very probable that you are right. Shadow Defender can protect EFI partitions (in theory). It is also improbable that the malware would bother to fight Shadow Defender in any way.
 
F

ForgottenSeer 69673

You should be more concrete in your posts. Most users do not know what it is Shadow Mode, because Shadow Defender is not a popular program. :)(y)
Anyway, it is very probable that you are right. Shadow Defender can protect EFI partitions (in theory). It is also improbable that the malware would bother to fight Shadow Defender in any way.
Thank you, Andy. You are right. I should be a bit wordier in my posts. I used to be. Using Shadow Defender's encrypted write Casch (not writing to disk) also helps yes because Shadow Defender is not a highly popular program, maybe the hackers would not bother. That was my thought also. And as you know, I still use Appguard, configured my way.

I have tried to get someone to test this setup, but none will. Cruelsister, I know is itching to give it a go!!!
I also use Adguard and Malwarebytes extensions in Edge.
I also keep a backup copy of my BIOS
And a Full Marcrium image on a bootable stick
And Firewall Application Blocker in white list mode.

There, how's that?
 
Last edited by a moderator:
F

ForgottenSeer 98186

Also, even if it were able to infect your OS, it would be gone on reboot if you are in Shadow Mode.
This is not necessarily true. About 10 years ago rootkits and bootkits were all the rage in security geek world. Does anybody remember GMER and ithurricane's PowerTool? There was a lot of hysteria and speculation about rootkits and protecting against them. Somebody did rootkit testing and Shadow Defender (whole-system virtualization) did not completely protect Ring 0. Tony had to make a fix back then.

Virtualization protection against rootkits is tricky stuff. At some low level (Ring 0, firmware) malware can bypass Shadow Defender. It is just a matter of it being carefully studied for its weaknesses. Although I do not know who would put in that time and effort except as a learning exercise. It certainly would not interest the average threat actor interested in money.
 
F

ForgottenSeer 69673

About 10 years ago rootkits and bootkits were all the rage in security geek world.
Yes, I was a member of Rootkit.com. MP_ART, EP_XOFF, Holy father etc. I Rember how GMER and XP_OFF used to debate back and forth and How XP_OFF and MP_ART created Rustock A and B. course then you also had the UnhackMe Program author in the mix as well. My handle at the time for both there and Wilders was controller_2000. Which means OMG 23 years ago.
XP_OFF went to work for Microsoft.

Can you please explain to me what Ring0 has to do with encrypted write Casch?

It is not just about Shadow Defender in my case. It is the overall security config I sport.

How's that?
 
Last edited by a moderator:
F

ForgottenSeer 98186

Can you please explain to me what Ring) has to do with encrypted write Casch?
Shadow Defender, at the time I referenced, did not virtualize every sector of Ring 0 and some sectors could be modified during Shadow Mode. I cannot recall the specifics. It is over at Wilders buried deep.

This has nothing to do with rootkits, but also, Shadow Defender and other virtualization products do not virtualize firmware. So malicious firmware installers or firmware exploits run in Shadow Mode can theoretically infect a machine.
 
Last edited by a moderator:
F

ForgottenSeer 98186

I wonder how many members here or at the Wilders had ever exchanged emails with

Joanna Rutkowska (remember Blue pill?) Her Blog runs from 2006 to 2021.​

Or even Kevin from Bo Clean ?
I remember Joanna from the Qubes project. Never interacted with her. Saw her in-person at a few conferences.

I remember Kevin from the old, early Comodo forum. I cannot recall if I ever had any communications with him.

You're digging up ancient history when it comes to Kevin.
 

simmerskool

Level 30
Verified
Top Poster
Well-known
Apr 16, 2017
1,988
Thank you, Andy. You are right. I should be a bit wordier in my posts. I used to be. Using Shadow Defender's encrypted write Casch (not writing to disk) also helps yes because Shadow Defender is not a highly popular program, maybe the hackers would not bother. That was my thought also. And as you know, I still use Appguard, configured my way.
How does SD work with AV updates and do you have pop3 email delivered? Do then exclude certain directories in SD? :unsure: (& if you inadvertently download malware in email?) I used SD several years ago, and eventually it seemed like a pain in the ass. But I also think I have a SD lifetime license. Is current v1.5.0.726 (Aug 2020)?
 
F

ForgottenSeer 69673

I remember Joanna from the Qubes project. Never interacted with her. Saw her in-person at a few conferences.

I remember Kevin from the old, early Comodo forum. I cannot recall if I ever had any communications with him.

You're digging up ancient history when it comes to Kevin.
Wow then in all my travels, never saw your handle before. Which means you also must have had another, if you remember what I do. Very interesting to say the least. As far as Wilders goes. I have posted why some poor mods drove me away, Will never go back. Do you also remember Diamond CS products? They were awesome too.

Thank you for bringing back some good ol memories Oerlink and Andy.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top