The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BlackLotus UEFI Bootkit

Mar 10, 2023 12:13:45 PM / by The Hivemind

Woman in distress lookng at laptop

Executive Summary

BlackLotus is the first known bootkit to bypass UEFI Secure Boot on fully updated Windows 11 systems. It leverages CVE-2022-21894 to bypass UEFI Secure Boot.

Key Takeaways

  • BlackLotus is the first known bootkit to bypass UEFI Secure Boot on fully updated Windows 11 systems. 
  • To bypass UEFI, BlackLotus leverages CVE-2022-21894 (Baton Drop), a Secure Boot bypass vulnerability that exists due to an error in Secure Boot implementation.
  • BlackLotus deploys a kernel driver for elevated privilege and persistence and an HTTP downloader for communication with the C2. 

What is BlackLotus?

ESET recently reported on BlackLotus, a UEFI bootkit. BlackLotus is the first known bootkit to bypass UEFI Secure Boot on fully updated Windows 11 systems. It leverages CVE-2022-21894 to bypass UEFI Secure Boot. BlackLotus has been sold on underground hacking forums since at least late 2022 and sells for around $5000 USD. It is written in Assembly and C.

UEFI bootkits work by obtaining control of the OS boot process, allowing them to disable security mechanisms and deploy their own kernel mode or user mode payloads on startup. These bootkits are stealthy and operate with elevated privilege. Since they run as a bootloader, they have almost as much control over the system as a firmware implant. 

The BlackLotus infection chain starts with execution of an installer, which deploys the bootkit’s files for the EFI System partition, disables security measures, and reboots the system. BlackLotus can disable a variety of security mechanisms, including BitLocker, HVCI, and Windows Defender. There are two installer versions, one to be used offline and one to be used online. The offline version has Windows binaries embedded in the installer, and the online version downloads the binaries directly from the Microsoft symbol store. 

After the first reboot, CVE-2022-21894 is exploited and the threat actor’s Machine Owner Key is enrolled to maintain persistence. The machine is then rebooted a second time. On each subsequent reboot, the bootkit is executed and deploys its kernel driver and the HTTP downloader, which is a user mode payload. This maintains persistence and allows download and execution of additional components from the C2. 

To bypass UEFi, BlackLotus leverages CVE-2022-21894. CVE-2022-21894, known as Baton Drop, is a Secure Boot bypass vulnerability that exists due to an error in Secure Boot implementation. Although Microsoft fixed the vulnerability in a January 2022 update, it can still be exploited because affected validly signed binaries have not been added to the UEFI revocation list. BlackLotuis uses its own copies of the legitimate but vulnerabile binaries for exploitation. 
It is interesting to note that BlackLotus checks the locale of the system and does not install the bootkit if the system is located in Romania, Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan. 

 

IOCs

PolySwarm has a sample associated with BlackLotus.

d68f668b4240f9518e4f80499d93d8c5a1eddece0771658c33ae916cc54f5a66

You can use the following CLI command to search for all BlackLotus samples in our portal:
$ polyswarm link list -f BlackLotus


 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

 

Topics: Threat Bulletin, Windows, UEFI, CVE-2022-21894, BlackLotus, Bootkit, Windows 11, Baton Drop

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More