Skip to content

BlackLotus Bootkit Can Target Fully Patched Windows 11 Systems

According to ESET’s analysis, the BlackLotus bootkit is able to circumvent security measures on Windows 11 systems that have been completely updated. Furthermore, it can continuously infect these systems.

BlackLotus was first spotted in October 2022, and is offered for $5,000 on underground forums. Its capabilities are on par with those of nation-state actors, and include the ability to bypass user access control (UAC) and secure boot and disable protections like BitLocker and Windows Defender. The bootkit exploits a year-old vulnerability in Windows (CVE-2022-21894) to disable secure boot.

ESET has identified six installers to date, which allows them to take a deep dive into the malware’s execution chain and reveal its main capabilities. Once executed on the system, the bootkit deploys a kernel driver and a user-mode component (an HTTP downloader).

The user-mode component is responsible for C&C communication over HTTPS, command execution, and payload delivery. To ensure persistence, the attackers’ Machine Owner Key (MOK) is enrolled to the MokList variable.

While BlackLotus is stealthy and packs numerous anti-removal protections, ESET believes they have discovered a weakness in the manner the HTTP downloader passes commands to the kernel driver, which could allow users to remove the bootkit. Updating the UEFI revocation list would mitigate the threat posed by BlackLotus, but a fresh Windows install and the removal of the attackers’ enrolled MOK key would be required to clean infected systems.

Key Points:

  • The BlackLotus bootkit emerged in October 2022, and can bypass security protections on fully updated Windows 11 systems.
  • It exploits a year-old vulnerability in Windows (CVE-2022-21894) to disable secure boot and persists by enrolling the attackers’ Machine Owner Key (MOK) to the MokList variable.
  • It packs numerous anti-removal protections, but ESET believes they have discovered a weakness which could allow users to remove the bootkit.
  • Updating the UEFI revocation list would mitigate the threat posed by BlackLotus, but a fresh Windows install and the removal of the attackers’ enrolled MOK key would be required to clean infected systems.

Leave a Reply

Your email address will not be published. Required fields are marked *