BlackLotus bypasses Secure Boot, Defender, VBS and BitLocker

BlackLotus is a malware that circulates on the since about the middle of last year. What makes the bootkit very dangerous is its ability to bypass Secure Boot systems even on fully updated Windows 11 systems (which means that earlier versions of Windows are also vulnerable).

black windows 11

The malware doesn't stop there, as it also makes registry modifications to disable Hypervisor Protected Code Integrity (HVCI), a Virtualization-Based Security (VBS) feature, as well as BitLocker encryption. It also disables Windows Defender by manipulating Early Launch Anti-Malware (ELAM) and the Windows Defender file filter driver. Its ultimate goal is to create an HTTP downloader that downloads malicious payloads.

This bootkit exploits a security vulnerability in security boot that has been unpatched for a year (CVE-2022-21894). Although it had been patched last year in January, the it still works as the signed binaries have not yet been added to the list of UEFI.

What BlackLotus bootkit can do:

It is able to run on the latest, fully updated Windows 11 systems with UEFI Secure Boot enabled.

It exploits a vulnerability over a year old (CVE-2022-21894) to bypass UEFI Secure Boot and configure the bootkit. This is the first publicly known exploit of this vulnerability.

Although the vulnerability was fixed in Microsoft's January 2022 update, the exploit still works as the affected, validly signed binaries have not yet been added to the UEFI revocation list. BlackLotus exploits this by bringing its own copies of legitimate – but vulnerable – binaries onto the system to exploit the vulnerability.

It is capable of disabling operating system security mechanisms such as BitLocker, HVCI and Windows Defender.

Once installed, the main goal of the bootkit is to deploy a kernel driver (which, among other things, protects the bootkit from removal) and an HTTP downloader program responsible for communicating with C&C and capable of downloading additional malware.

More technical details. The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.081 registrants.
Secure Boot, Defender, VBS, BlackLotus

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).