Threat Deep Dive: BlackLotus

What is BlackLotus?

BlackLotus is a stealthy Unified Extensible Firmware Interface (UEFI) bootkit, which is a type of malware that can bypass Secure Boot defenses, making it a potent threat in the cyber landscape. Secure Boot is a security feature in modern computer systems that ensures that only trusted software is loaded during the boot process. Secure Boot uses digital signatures to verify the integrity of the firmware and operating system (OS) boot loaders before they are executed, preventing unauthorized code from running at boot time.*

BlackLotus was first publicly known in October 2022, and it is the first known malware that can bypass Secure Boot protections on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.

UEFI bootkits are deployed in the system firmware and allow full control over the operating system (OS) boot process. This allows attackers to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges.**

BlackLotus is offered for sale at $5,000 (and $200 per new subsequent version) and is programmed in Assembly and C languages. It is 80 kilobytes in size and features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

BlackLotus Technical Details:

BlackLotus exploits a security flaw tracked as CVE-2022-21894 (a.k.a. Baton Drop) to get around UEFI Secure Boot protections and set up persistence. The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update. Successful exploitation of the vulnerability allows arbitrary code execution during early boot phases, permitting a threat actor to carry out malicious actions on a system with UEFI Secure Boot enabled without having physical access to it.

BlackLotus takes advantage of this vulnerability by bringing its own copies of legitimate but vulnerable binaries to the system to exploit the vulnerability. This effectively paves the way for Bring Your Own Vulnerable Driver (BYOVD) attacks.

Besides being equipped to turn off security mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender, BlackLotus is also engineered to drop a kernel driver and a Hypertext Transfer Protocol (HTTP) downloader that communicates with a command-and-control (C2) server to retrieve additional user-mode or kernel-mode malware.

The exact modus operandi used to deploy the bootkit is unknown, but it starts with an installer component that’s responsible for writing the files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host. The restart is followed by the weaponization of CVE-2022-21894 to achieve persistence and install the bootkit, after which it is automatically executed on every system start to deploy the kernel driver.

While the driver is tasked with launching the user-mode HTTP downloader and running next-stage kernel-mode payloads, the latter can execute commands received from the C2 server over HTTPS. This includes downloading and executing a kernel driver, DLL, or a regular executable, fetching bootkit updates, and even uninstalling the bootkit from the infected system.

Cyber Threat Intelligence Implications:

The implications of BlackLotus are significant for cyber threat intelligence, as it is the first publicly known malware that can bypass Secure Boot defenses, which are an essential security feature in modern systems. Cybersecurity experts must understand the modus operandi of BlackLotus and similar bootkits to identify their tactics, techniques, and procedures (TTPs) to counteract them.

As BlackLotus bypasses UEFI Secure Boot protections, it allows attackers to disable operating system-level security mechanisms, deploy arbitrary payloads during startup with high privileges, and gain full control over the system. Cyber threat intelligence analysts must investigate vulnerabilities in UEFI systems and their supply chains to identify risks and anticipate attacks.

BlackLotus is designed to be scalable and persistent, making it a potent tool for cybercriminals. It is also equipped with geofencing capabilities, indicating that cybercriminals may use it for targeted attacks. Cyber threat intelligence analysts must understand the risk landscape and the potential for BYOVD attacks to predict and prevent such threats.

BlackLotus is programmed in Assembly and C languages, which suggests that its creators have a deep understanding of computer hardware and low-level programming. This means that they are likely to be highly skilled and knowledgeable threat actors capable of creating sophisticated malware like bootkits. Assembly and C are considered low-level programming languages that allow programmers to write code that can interact more directly with computer hardware, versus higher-level programming languages like Python, Java, or C#. Assembly is even closer to the hardware than C and allows for more fine-grained control over hardware resources. The fact that BlackLotus is programmed in these low-level languages has important implications for threat intelligence.

Understanding the technical details of BlackLotus requires expertise in these languages, which may limit the number of security researchers who can effectively analyze and reverse engineer the malware. Additionally, BlackLotus’s use of Assembly and C languages may make it more difficult to detect and analyze through traditional means, like antivirus software or static analysis tools, indicating that cybercriminals have the knowledge and skills to create advanced bootkits.

Finally, BlackLotus exploits a security flaw that was addressed by Microsoft as part of its January 2022 Patch Tuesday update. As cybercriminals become more sophisticated, cyber threat intelligence analysts must keep pace with their evolving tactics, techniques, and procedures to counteract their activities, as well as monitor for security updates and patches to identify and mitigate potential vulnerabilities before they can be exploited.

Mitigation:

Mitigating a bootkit like BlackLotus that can run on even fully up-to-date Windows 11 systems with UEFI Secure Boot enabled is a challenging task. However, there are several steps that organizations and individuals can take to reduce the risk of a successful attack:

  • Keep systems up to date: Keeping systems up to date with the latest security patches and updates can help mitigate known vulnerabilities. It is important to ensure that systems are patched with the latest security updates, including firmware updates.
  • Use security software: Deploying and regularly updating security software like antivirus, endpoint protection, and intrusion detection systems can help detect and prevent malicious activity on systems.
  • Enable Secure Boot: Enabling UEFI Secure Boot can help prevent bootkits from running by verifying the digital signatures of firmware and operating system boot loaders.
  • Implement multi-factor authentication: Implementing multi-factor authentication can help prevent unauthorized access to systems even if a bootkit has bypassed Secure Boot.
  • Implement network segmentation: Implementing network segmentation can help contain the spread of a bootkit by limiting its ability to move laterally within the network.
  • Conduct regular security assessments: Regular security assessments can help identify and address vulnerabilities before they can be exploited.
  • Implement strong password policies: Implementing strong password policies can help prevent unauthorized access to systems even if a bootkit has bypassed Secure Boot.

It is important to note that while these measures can help reduce the risk of a successful attack, they cannot completely eliminate the threat of a bootkit like BlackLotus. Cybersecurity experts must remain vigilant and continue to monitor the threat landscape to detect and respond to emerging threats. For more updates on BlackLotus and other emerging threats, follow our Threat Intelligence Hub and Threat Research pages.

Appendix:

* Bypassing Secure Boot means that an attacker can install and run unauthorized code on a system during the boot process. This can be achieved by exploiting vulnerabilities in the firmware or bootloader, or by replacing the digital signatures of the firmware or bootloader with fraudulent ones. Once the attacker has bypassed Secure Boot, they can gain full control over the system, disable OS-level security mechanisms, and deploy arbitrary payloads with high privileges. This can allow attackers to install malware, steal data, or carry out other malicious activities without being detected. Bypassing Secure Boot is a serious security risk, and it can be challenging to detect and mitigate.

** Unified Extensible Firmware Interface (UEFI) is a more modern firmware interface that has replaced the legacy Basic Input/Output System (BIOS) firmware interface in modern computer systems. UEFI offers several benefits over BIOS, including faster boot times, larger disk support, improved compatibility, and support for modern features.


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form
  • This field is hidden when viewing the form