BlackLotus is a malware that has been circulating on the internet since around the middle of last year. What makes the bootkit very dangerous is its ability to bypass Secure Boot systems even on fully updated Windows 11 systems (meaning that earlier versions of Windows are also vulnerable).
The malware doesn't stop there, as it also makes registry modifications to disable Hypervisor Protected Code Integrity (HVCI), a Virtualization-Based Security (VBS) feature, as well as BitLocker encryption. It also disables Windows Defender by manipulating the Early Launch Anti-Malware (ELAM) driver and the Windows Defender file system filter driver. Its ultimate goal is to create an HTTP downloader that downloads malicious payloads.
This bootkit exploits a security vulnerability in security boot that has been unpatched for a year (CVE-2022-21894). Although patched last year in January, the exploit still works as the signed binaries have not yet been added to the UEFI revocation list.
What BlackLotus bootkit can do:
It is able to run on the latest, fully updated Windows 11 systems with UEFI Secure Boot enabled.
It exploits a vulnerability over a year old (CVE-2022-21894) to bypass UEFI Secure Boot and configure the bootkit. This is the first publicly known exploit of this vulnerability.
Although the vulnerability was fixed in Microsoft's January 2022 update, the exploit still works as the affected, validly signed binaries have not yet been added to the UEFI revocation list. BlackLotus exploits this by bringing its own copies of legitimate – but vulnerable – binaries onto the system to exploit the vulnerability.
It is capable of disabling operating system security mechanisms such as BitLocker, HVCI and Windows Defender.
Once installed, the main goal of the bootkit is to deploy a kernel driver (which, among other things, protects the bootkit from removal) and an HTTP downloader program responsible for communicating with C&C and capable of downloading additional malware.
