A research group claimed that the latest strain of BlackLotus malware had compromised the fully-patched Windows 11 equipped with UEFI Secure Boot. Based on reports, this malware is the first publicly disclosed UEFI bootkit that avoids the fully updated Secure Boot.
Researchers first identified the BlackLotus malware in October of last year. Moreover, it is the first confirmed malware openly exploiting the Baton Drop vulnerability (CVE-2022-21894). The flaw is a Secure Boot security functionality flaw in the Windows operating system.
Microsoft already patched this vulnerability in January last year. However, the systems are still in danger since the company’s security has not withdrawn the vulnerable UEFI binaries in the revocation list.
The BlackLotus campaign starts with an executed installer component.
According to investigations, the BlackLotus cybercriminal operation begins with initiating an installer component on a targeted device. The installer could be online by downloading the Windows binaries from the command-and-control server or offline by carrying Windows binaries attached to the element.
The objective of the installer is to code the files to the EFI system subset, deactivate the HVCI and BitLocker security, and restart the device. The malware operators abuse the Baton Drop flaw to avoid the UEFI Secure Boot protections and establish persistence during the first reboot. Subsequently, the campaign enrols its operators’ Machine Owner Key and restarts again.
The operation executes the attacker-signed UEFI bootkit during the second reboot. Lastly, the threat actors deploy the kernel driver and HTTP downloader payloads. This method enables the attackers to download and execute additional driver components and user mode and protects against the bootkit’s removal.
This new bootkit significantly improves cybercriminal operations regarding persistence, evasion, and total control of the targeted devices. Furthermore, cybersecurity experts claim that full and effective patching of the vulnerability leveraged by the BlackLotus operators takes an extended period due to the complexity of the UEFI environment.
Users should adopt a competent security approach, such as standard anti-malware and firewall solutions. Finally, users should know the threat intelligence insights to mitigate the impact of such threats.
