Malware

The source code of the BlackLotus UEFI Bootkit was leaked on GitHub

The source code for the BlackLotus UEFI bootkit has been published on GitHub and experts warn of the risks of proliferation of custom versions.

Researchers from ESET discovered in March a new stealthy Unified Extensible Firmware Interface (UEFI) bootkit, named BlackLotus, that is able to bypass Secure Boot on Windows 11.

Secure Boot is a security feature of the latest Unified Extensible Firmware Interface (UEFI) 2.3.1 designed to detect tampering with boot loaders, key operating system files, and unauthorized option ROMs by validating their digital signatures. “Detections are blocked from running before they can attack or infect the system specification.

BlackLotus is the first UEFI bootkit that is able to bypass the security feature on fully up-to-date Windows 11 systems.

The BlackLotus malware is a UEFI bootkit that is available for sale on hacking forums since at least October 2022.  The powerful malware is offered for sale at $5,000, with $200 payments per new updates.

Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region.

The malware supports anti-virtualization, anti-debugging, and code obfuscation. Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities.

The threat is very stealthy, it can achieve persistence at the UEFI level with Ring 0 agent protection.

Black Lotus supports a full set of backdoor capabilities, it could be also used to potentially target IT and OT environments.

ESET researchers reported that the bootkit exploits the vulnerability CVE-2022-21894 to bypass UEFI Secure Boot and maintain persistence. This is the first publicly known bootkit that abuses this vulnerability in the wild.

“Exploiting CVE-2022-21894 to bypass the Secure Boot feature and install the bootkit. This allows arbitrary code execution in early boot phases, where the platform is still owned by firmware and UEFI Boot Services functions are still available.” reads the analysis published by the experts. “This allows attackers to do many things that they should not be able to do on a machine with UEFI Secure Boot enabled without having physical access to it, such as modifying Boot-services-only NVRAM variables. And this is what attackers take advantage of to set up persistence for the bootkit in the next step. “

The experts pointed out that despite the issue was addressed by Microsoft in January 2022, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list.

Upon successful installation of the bootkit, the malicious code deploys a kernel driver and an HTTP downloader, used for C2 communication, which can load additional user-mode or kernel-mode payloads.

The source code for the BlackLotus UEFI bootkit has been leaked on GitHub, this means that threat actors can use it to create their own variants, which include new exploits.

The public availability of the bootkit’s source code represents a significant risk mainly because it can be combined with new exploits and create new attack opportunities, according to

Alex Matrosov, CEO of the firmware security company Binarly, believes that the leaked source code doesn’t represent a significant threat because it isn’t complete

“However, the fact that it’s possible to combine them with new exploits like the BlackLotus campaign did was something unexpected to the industry and shows the real limitations of the current mitigations below the operating system.” explained Matrosov. “The BlackLotus leak shows how old rootkit and bootkit tricks, combined with new Secure Boot bypass vulnerabilities, can still be very effective in blinding a lot of modern endpoint security solutions.”

The researcher pointed out that BlackLotus was observed using the publicly known BatonDrop exploit.

Although the CVE-2022-21894 was patched in 2022, the impact was able to exploit the issue because the vulnerable binaries were still used as part of the UEFI.

“Enterprise defenders and CISOs need to understand that threats below the operating system are clear and present dangers to their environments. Since this attack vector has significant benefits for the attacker, it is only going to get more sophisticated and complex,” Matrosov concludes.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BlackLotus)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Apple, Oracle Agile PLM bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple, Oracle Agile PLM bugs to its…

12 hours ago

More than 2,000 Palo Alto Networks firewalls hacked exploiting recently patched zero-days

Threat actors already hacked thousands of Palo Alto Networks firewalls exploiting recently patched zero-day vulnerabilities.…

17 hours ago

Ransomhub ransomware gang claims the hack of Mexican government Legal Affairs Office

Mexico is investigating a ransomware attack targeting its legal affairs office, as confirmed by the…

1 day ago

US DoJ charges five alleged members of the Scattered Spider cybercrime gang

The U.S. Justice Department charged five suspects linked to the Scattered Spider cybercrime gang with…

1 day ago

Threat actor sells data of over 750,000 patients from a French hospital

A threat actor had access to electronic patient record system of an unnamed French hospital,…

2 days ago

Decade-old local privilege escalation bugs impacts Ubuntu needrestart package<gwmw style="display:none;"></gwmw>

Decade-old flaws in the needrestart package in Ubuntu Server could allow local attackers to gain…

2 days ago

This website uses cookies.