BlackLotus is a malware that has been circulating on the internet since around the middle of last year. What makes the bootkit very dangerous is its ability to bypass Secure Boot systems even on fully updated systems Windows 11 (which means that previous versions of Windows are also vulnerable).
The malware doesn't stop there, as it also makes registry modifications to disable Hypervisor Protected Code Integrity (HVCI), a mode Ασφάλειας που βασίζεται σε Virtualization (VBS), καθώς και την κρυπτογράφηση BitLocker. It also disables Windows Defender by manipulating the Early Launch Anti-Malware (ELAM) driver and the Windows Defender file system filter driver. Its ultimate purpose is creation of an HTTP downloader that downloads malicious payloads.
This bootkit exploits a security vulnerability in security boot that has been unpatched for a year (CVE-2022-21894). Although it was patched last year in January, the exploit still works as the signed binaries have not yet been added to the list recallof UEFI.
What BlackLotus bootkit can do:
It is able to run on the latest, fully updated Windows 11 systems with UEFI Secure Boot enabled.
It exploits a vulnerability over a year old (CVE-2022-21894) to bypass UEFI Secure Boot and configure the bootkit. This is the first publicly known exploit of this vulnerability.
Although the vulnerability was fixed in Microsoft's January 2022 update, the exploit still works as the affected, validly signed binaries have not yet been added to the UEFI revocation list. BlackLotus exploits this by bringing its own copies of legitimate – but vulnerable – binaries onto the system to exploit the vulnerability.
It is capable of disabling operating system security mechanisms such as BitLocker, HVCI and Windows Defender.
Once installed, the main goal of the bootkit is to deploy a kernel driver (which, among other things, protects the bootkit from removal) and an HTTP downloader program responsible for communicating with C&C and capable of downloading additional malware.