BlackLotus is a malware that has been circulating on the internet since around the middle of last year. What makes the bootkit very dangerous is its ability to bypass Secure Boot systems even on fully updated Windows 11 systems (meaning that earlier versions of Windows are also vulnerable).
The malware doesn't stop there, as it also makes registry modifications to disable Hypervisor Protected Code Integrity (HVCI), a mode Ασφάλειας που βασίζεται σε Virtualization (VBS), καθώς και την κρυπτογράφηση BitLocker. Απενεργοποιεί επίσης το Windows Defender χειραγωγώντας τον Early Launch Anti-Malware (ELAM) driver και το Windows Defender file system filter driver. Ο απώτερος σκοπός του είναι η creation of an HTTP downloader that downloads malicious payloads.
This bootkit exploits a security vulnerability in security boot that has been unpatched for a year (CVE-2022-21894). Although patched last year in January, the exploit still works as the signed binaries have not yet been added to the UEFI revocation list.
What BlackLotus bootkit can do:
It is able to run on the latest, fully updated Windows 11 systems with UEFI Secure Boot enabled.
It exploits a vulnerability over a year old (CVE-2022-21894) to bypass UEFI Secure Boot and configure the bootkit. This is the first publicly known exploit of this vulnerability.
Although the vulnerability was patched in Microsoft's January 2022 update, the exploit still works as the affected, validly signed binaries have not yet been added to the UEFI revocation list. BlackLotus exploits this by bringing its own copies of legitimate – but vulnerable – binaries to system to exploit the vulnerability.
It is capable of disabling operating system security mechanisms such as BitLocker, HVCI and Windows Defender.
Once installed, the main purpose of the bootkit is to deploy a kernel driver (which, among other things, protects the bootkit from removal) and a program HTTP downloader responsible for communicating with C&C and capable of downloading additional malware.
