A UEFI bootkit capable of bypassing UEFI Secure Boot, the essential platform security feature, has been discovered in the wild for the first time. It is capable of operating on fully updated UEFI systems, including those with Windows 11 and UEFI Secure Boot enabled. The bootkit, known as BlackLotus, has been sold on hacking forums for at least $5,000 since October 2022. UEFI bootkits are considered high-level threats due to their ability to disable various operating system (OS) security mechanisms and deploy their own payloads in early startup stages.
The bootkit’s capabilities and features suggest that it is a powerful threat likely to be used by crimeware groups. Although they may lose on stealthiness compared to firmware implants, such as LoJax, which are located on SPI flash partitions, bootkits have almost the same capabilities as firmware implants without the need to bypass multilevel SPI flash defenses. While UEFI Secure Boot provides a shield against bootkits, targeted vulnerabilities can still be exploited to bypass its security mechanisms.
The BlackLotus bootkit came to public attention after its HTTP downloader component was detected in late 2022. This component is responsible for communicating with the command-and-control (C&C) server, setting up persistence for the bootkit, and deploying a kernel driver that protects the bootkit from removal and additional user-mode or kernel-mode payloads. BlackLotus exploits a more than one-year-old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and, in turn, disable OS security mechanisms such as BitLocker, HVCI, and Windows Defender.
BlackLotus was advertised and sold on underground hacking forums since at least October 6th, 2022, and has drawn the attention of cybersecurity researchers in recent months. Although not much is currently known about the distribution channel used to deploy the bootkit to victims, the low number of confirmed BlackLotus samples suggests that few threat actors have begun using it. However, the lack of revocation of the vulnerable binaries that BlackLotus depends on may pose a serious risk to UEFI systems.
The evidence gathered by cybersecurity experts during the investigation of BlackLotus supports the claims made by the bootkit’s developer on hacking forums. The bootkit has an integrated Secure Boot bypass that exploits known vulnerabilities, has a built-in Ring0/Kernel protection mechanism, anti-VM, anti-debug, and obfuscation features to prevent malware analysis, and an HTTP downloader that runs within the system account of a legitimate process. Additionally, the BlackLotus installer can disable built-in Windows security protections, such as HVCI, Windows Defender, and User Account Control (UAC).
To compromise a system, the BlackLotus bootkit follows a three-step process. Firstly, the installer deploys the bootkit files, disables HVCI and BitLocker, and reboots the machine. Secondly, the bootkit exploits CVE-2022-21894 and enrolls the attacker’s Machine Owner Key (MOK) to achieve persistence. Lastly, the bootkit deploys its kernel driver and user-mode components during each boot, giving attackers full control over the system.
In conclusion, the emergence of the BlackLotus bootkit is a reminder of the importance of timely patching of known vulnerabilities and the need for revocation of vulnerable binaries to prevent attacks on UEFI systems. While bootkits may not be as stealthy as firmware implants, they still pose a significant risk to organizations, especially when sold on the underground market to the highest bidder. Cybersecurity experts must remain vigilant and investigate all potential threats to combat the increasing prevalence of UEFI bootkits and other advanced persistent threats.