BlackLotus is a UEFI malware that is sold as a kit on hacker forums for $5,000 and is notable for being the first known to be able to Bypass Windows Secure Boot. A major threat to the computing environment due to its ability to bypass security defenses even when enabled in BIOS/UEFI.

If you recall, Microsoft proposed this Windows Secure Boot system ten years ago, when next-gen motherboards released UEFI firmware to replace the old BIOSes. There was great controversy in its early days because this Secure Boot prevented the installation of alternative systems to Windows such as GNU/Linux. Later, the Linux Foundation published a Secure boot system official Microsoft for Linux, which allowed the installation of any distribution and, moreover, most motherboard manufacturers allowed its deactivation.

In addition, this security system forces to sign firmware and software To protect the boot process of any system, it ended up being consolidated and even in Windows 11 it is a mandatory requirement along with TPM.

Windows Secure Boot is at risk

Kaspersky researchers issued the warning last October after discovering malware called “BlackLotus” being sold on cybercrime marketplaces. Since then, security specialists have been taking it apart piece by piece, and ESET has released an extensive article showing how it works and how dangerous it is.

It goes o.a bootkit UEFI, which is implemented in firmware computers and allows full control over the boot process of the operating system, allowing to disable security mechanisms at the operating system level and deploy any payload during boot with administrative rights.

BlackLotus costs $5,000, but is highly profitable for “bad guys” who can afford it. It is programmed in assembly language and is only 80 KB in size. He is stealthy, persistent, has abilities geofencing To avoid infecting computers in certain countries, and according to researchers, it is the first known malware that can bypass Windows’ secure boot.

It must be said that BlackLotus, like the vast majority of malware, exploits a security flaw Marked CVE-2022-21894, it allows bypassing Boot Secure protection in UEFI and configuring persistence. Microsoft addressed this vulnerability in its monthly patch update in January 2022. The problem is that it can still be exploited by criminals because the affected signed binaries were not added to the UEFI revocation list.

Malware takes advantage of this, including its own copies of legitimate but compromised binaries disable system security tools such as BitLocker and Windows Defenderand bypassing User Account Control. It also implements a kernel driver and an HTTP downloader. The kernel driver protects the boot set files from deletion, while the downloader communicates with the command and control server and executes a payload capable of fully controlling the boot of the computer system.

This BlackLotus is very dangerous. Described as a sophisticated solution to crime, “It represents a leap forward in terms of ease of use, scalability, availability, and most importantly, the potential for much greater impact on the persistence, escape and/or destruction methods of any known bootkit”the researchers explain.