Skip to content

BlackLotus Malware Hijacks Windows Secure Boot Process

Security researchers have recently discovered a sophisticated piece of malware known as BlackLotus, a UEFI bootkit that can bypass various security protections and hijack the boot process of computers, even those running the latest version of Windows with Secure Boot enabled.

The UEFI (Unified Extensible Firmware Interface) is a low-level and complex chain of firmware responsible for booting up virtually every modern computer. It is located in an SPI-connected flash storage chip soldered onto the computer motherboard, making it difficult to inspect or patch. BlackLotus targets the software stored in the EFI system partition.

It is capable of running on fully patched Windows 11 systems with UEFI Secure Boot enabled, exploiting an over one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have not been added to the UEFI revocation list.

Once installed, the bootkit can disable OS security mechanisms such as BitLocker, HVCI, and Windows Defender. Its main goal is to deploy a kernel driver and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads.

In summary, BlackLotus is a dangerous and sophisticated piece of malware that is capable of bypassing UEFI Secure Boot and hijacking the boot process of computers, even those running the latest version of Windows with Secure Boot enabled. It is capable of disabling various security measures and downloading additional malicious payloads to the system. It is highly recommended to ensure that all Windows systems are updated to the latest version and that all vulnerable binaries are added to the UEFI revocation list.

Leave a Reply

Your email address will not be published. Required fields are marked *