BlackLotus virus nests in your device’s UEFI and disables all detection methods. Microsoft shares some tricks on how to detect the virus.

BlackLotus became known in March through a blog by Eset. According to the cybersecurity provider’s specialists, the virus is unique in its kind. It is the first UEFI boot kit that successfully bypasses Windows’ built-in Secure Boot feature, a vulnerability known to Microsoft and named CVE-2022-21894. BlackLotus is therefore sold on the Darknet for many thousands of euros.

This type of malware is more difficult to detect than other viruses anyway. They nestle into the device’s UEFI and disable Defender and other antivirus software before they can take effect. Additionally, BlackLotus can also infect fully updated Windows 11 devices. Nevertheless, you are not entirely without a chance; The Microsoft Incident Response team shares some tips and tricks for detecting and mitigating BlackLotus.

Red flags

According to Microsoft, there are several elements during the installation and running process that can indicate that a device has been infected with BlackLotus. Security teams should look for things like:

• Recently written bootloader files
• Newly created staging folders
• Changed registry keys
• Windows event logs
• Suspicious behavior on the network
• Entries in the boot configuration log

Microsoft warns that these indicators are not very reliable when viewed individually. However, observing them along with other events increases their importance in determining if a device is infected.

Prevent and heal

If a device can be determined to be infected with BlackLotus, it must be removed from the network as soon as possible. Then the device should be completely reformatted or restored from a backup if it contains a clean ERF partition.

Prevention is always better than cure and here too there are some interventions that can significantly reduce the risk of BlackLotus. Application a least privilegePrinciple is essential according to Microsoft. Restricting local administrator privileges can significantly limit the movement of malware.

Microsoft also recommends keeping antivirus software up to date. Blocking external applications from UEFI Secure Boot helps restrict BlackLotus, but does not prevent infections. Read this Microsoft blog for more information.