This week, Secure Boot defense has its first publicly known stealthy Unified Extensible Firmware Interface (UEFI) bootkit malware (BlackLotus) capable of bypassing its security. The malware suddenly became a significant threat with the discovery by ESET stating the bootkitâs capability of effectively running on an up-to-date Windows 11 system. The UEFI bootkit operation mode starts with a deployment in the system firmware and complete control over the operating system boot process. This leads to disabling the OS-level security mechanism and deploying a payload with high privileges during startup. This mode of operation allows a threat actor to carry out some actions without physical access.
Security experts have revealed that the malware exploits Baton Drop (CVE-2022-21894), a vulnerability in Windows: 8.1 – 11 21H2 and Windows Server: 2012 – 2022 that exists because of an error in Secure Boot implementation, which can allow a local user to bypass implemented security restrictions. This vulnerability can be used to navigate around the UEFI Secure Boot protection and gain persistence. In an attempt to provide a solution, Microsoft released a security patch in January 2022, which was believed to have addressed the situation. However, in October 2022, Sergey Lozhkin, a Kaspersky security researcher, described BlackLotus as âa sophisticate crimeware solution.â
Despite Microsoft addressing the vulnerability, there are speculations of further exploitations due to the existence of the validly signed binaries outside the UEFI revocation list. This implies that the malware could bring back its copies of legitimate yet vulnerable binaries to a system to aid the exploitation of its vulnerability in a new attack mode called BYOVD (Bring Your Own Vulnerability Driver).
The malware remains a threat, with little knowledge of its functionality in deploying the bootkit. However, it was analyzed to initialize an installer component responsible for writing the files to the EFI system partition, turning off security mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender. The process is followed by rebooting the host and weaponizing the CVE-2022-21894 to achieve persistence and automatically aid execution on every restart to deploy the kernel driver.
