Security company ESET has recently uncovered a newly discovered UEFI boot kit that is capable of bypassing Secure Boot protocols on modern Windows 11 systems. The boot kit, named BlackLotus, exploits a vulnerability that has already been patched by Microsoft, but some binaries have yet to be updated and deployed. ESET's investigation has confirmed the existence of this concerning boot kit, shedding light on the potential security risks it poses.
Reports of such malware being sold on underground forums surfaced last year, and now ESET has not only verified its existence but also delved into the workings of the BlackLotus boot kit. It appears that this boot kit is available for purchase on the dark web for a hefty price tag of $5000.
The BlackLotus boot kit allows attackers to circumvent the Secure Boot feature in the UEFI firmware of PCs. ESET reports that this exploit can be carried out with minimal vulnerabilities, making it possible to compromise even a fully updated Windows 11 system. The boot kit leverages a known vulnerability, referred to as CVE-2022-21894 or "Baton Drop," which was addressed by Microsoft in January 2022. However, ESET's findings indicate that the BlackLotus boot kit is still able to exploit this vulnerability due to the incomplete deployment of patches.
One of the key factors enabling the BlackLotus boot kit's success is the absence of all affected binaries from the official UEFI revocation list. By adding its own binaries to the UEFI firmware, BlackLotus is able to disguise them as legitimate files, thus evading detection by Secure Boot mechanisms. This loophole allows the boot kit to operate unchecked within the system.
In addition to bypassing Secure Boot, the BlackLotus boot kit is also capable of establishing persistence on infected systems. Upon successful loading of the binaries, the boot kit installs a kernel driver that establishes a connection to a remote command-and-control server. Furthermore, the boot kit can disable various Windows security components, including Bitlocker, Windows Defender, and HVCI, leaving the system vulnerable to further attacks.
While the BlackLotus boot kit is known to be available for purchase on underground forums, the extent of its distribution and the specific targets it is designed to attack remain unclear. Interestingly, the installers of the boot kit contain geofences that prevent installation on PCs set to certain regions, including Romania, Russia, Ukraine, Belarus, Armenia, and Kazakhstan.
English (US)