The new BlackLotus UEFI bootkit is being sold on the dark web

October 25, 2022
BlackLotus UEFI Bootkit Dark Web Threat Intelligence Vulnerability Exploit

A new UEFI bootkit dubbed BlackLotus has been seen available for sale on dark web hacking forums, with features including integrated Secure Boot bypass, Ring0/Kernel protection against a system’s removal capability start in safe mode, and more.

UEFI bootkits are usually associated with state-backed cybercriminal groups. Hackers plant them in the system firmware of the targeted machine, which can evade detection from security software present in the operating system.

 

The author of the BlackLotus UEFI bootkit offers it for $200, which is significantly cheaper than other Windows bootkits that reach about $5,000.

 

Aside from the earlier mentioned features, this new UEFI bootkit rebuild has more features, such as an anti-virtual machine, anti-debug, and code obfuscation. Running under the ‘SYSTEM’ account also helps the bootkit bypass analysis attempts.

Based on the hacker’s advertised post, the bootkit, with a disk size of 80KB, can disable any built-in Windows security protections. Several security experts are concerned about the malicious tool’s sale on the dark web since nation-backed groups mostly use it for attack campaigns.

The experts added that the technologies used by APT groups were usually only accessible to powerful government-backed organisations. Thus, having this tool available for anyone to purchase on underground forums is alarming.

Moreover, as the experts reviewed the features and capabilities of the new BlackLotus UEFI bootkit, they concluded it to be a leap toward the wider availability, accessibility, and scalability of sophisticated APT tools for all threat actors regardless of their skill level. Its sale could also imply potentially damaging cyberattack impacts regarding evasion, persistence, and destruction.

Nonetheless, the researchers noted that the bootkit’s entire sample has yet to be fully investigated, and they are unsure whether it is ready for production or even complete. They are also looking to obtain a bootkit sample for closer analysis. For as long as these in-depth analyses have not yet been accomplished, the researchers said that its advertisement could be a scam.

Users are still warned that if the BlackLotus UEFI bootkit has been confirmed authentic and working, it could pose a worrying trend that could harm consumers and corporate servers.

About the author