BlackLotus is the first known bootkit to bypass UEFI Secure Boot on fully updated Windows 11 systems. It leverages CVE-2022-21894 to bypass UEFI Secure Boot.
ESET recently reported on BlackLotus, a UEFI bootkit. BlackLotus is the first known bootkit to bypass UEFI Secure Boot on fully updated Windows 11 systems. It leverages CVE-2022-21894 to bypass UEFI Secure Boot. BlackLotus has been sold on underground hacking forums since at least late 2022 and sells for around $5000 USD. It is written in Assembly and C.
UEFI bootkits work by obtaining control of the OS boot process, allowing them to disable security mechanisms and deploy their own kernel mode or user mode payloads on startup. These bootkits are stealthy and operate with elevated privilege. Since they run as a bootloader, they have almost as much control over the system as a firmware implant.
The BlackLotus infection chain starts with execution of an installer, which deploys the bootkit’s files for the EFI System partition, disables security measures, and reboots the system. BlackLotus can disable a variety of security mechanisms, including BitLocker, HVCI, and Windows Defender. There are two installer versions, one to be used offline and one to be used online. The offline version has Windows binaries embedded in the installer, and the online version downloads the binaries directly from the Microsoft symbol store.
After the first reboot, CVE-2022-21894 is exploited and the threat actor’s Machine Owner Key is enrolled to maintain persistence. The machine is then rebooted a second time. On each subsequent reboot, the bootkit is executed and deploys its kernel driver and the HTTP downloader, which is a user mode payload. This maintains persistence and allows download and execution of additional components from the C2.
To bypass UEFi, BlackLotus leverages CVE-2022-21894. CVE-2022-21894, known as Baton Drop, is a Secure Boot bypass vulnerability that exists due to an error in Secure Boot implementation. Although Microsoft fixed the vulnerability in a January 2022 update, it can still be exploited because affected validly signed binaries have not been added to the UEFI revocation list. BlackLotuis uses its own copies of the legitimate but vulnerabile binaries for exploitation.
It is interesting to note that BlackLotus checks the locale of the system and does not install the bootkit if the system is located in Romania, Moldova, Russia, Ukraine, Belarus, Armenia, or Kazakhstan.
IOCs
PolySwarm has a sample associated with BlackLotus.
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports