Security firm ESET’s cybersecurity researchers have shared their analysis of the world’s first UEFI bootkit being used in the wild, which can bypass Secure Boot on fully-updated UEFI systems. It can even bypass it on fully-updated Windows 10 and 11 versions.
ESET’s Deep-Dive Analysis of UEFI Bootkit
According to researchers, there is no indication of who created this bootkit or its name, so they concluded that it corresponds to the BlackLotus bootkit. This bootkit has been promoted in underground cybercrime forums since 2022 for $5,000, with an additional $200 for updates.
Understanding BlackLotus Capabilities
BlackLotus is written in assembly and C programming languages, so developers can insert a suite of powerful features into an 80kb file. It not only disables Secure Boot but many other OS security mechanisms, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender.
This bootkit can run on fully-updated systems running Windows 11 with UEFI Secure Boot enabled. It targets the firmware’s low-level chain called the Unified Extensible Firmware Interface (UEFI). This complex chain is responsible for booting modern computers. The UEFI bridges the computer’s firmware with the OS while serving as an OS itself.
Since the UEFI is located in the SPI-connected flash storage chip present on the computer’s motherboard, it is extremely hard to inspect or patch it. The difference between the way BlackLotus targets UEFI and other bootkits like MoonBounce, CosmicStrand, and MosaicRegressor is that these target the UEFI firmware stored in the flash storage chip whereas BlackLotus targets the software in the EFI system partition.
How Does BlackLotus Defeats Secure Boot?
It is achieved by exploiting a vulnerability found in all supported versions of Microsoft Windows and patched in January 2022. It is tracked as CVE-2022-21894. This is a logic flaw, dubbed “Baton Drop” by the researcher who discovered it, which can be exploited for removing Secure Boot functions entirely from the boot sequence when the PC starts.
Threat actors can easily exploit this flaw to obtain keys for BitLocker, which encrypts hard drives. For BlackLotus creators, this flaw has proven immensely useful because, despite being patched, the vulnerable signed binaries haven’t yet been added to the UEFI revocation list, which alerts about untrusted boot files.
According to researchers, hundreds of vulnerable bootloaders are currently in use, and if these signed binaries are revoked, it would render millions of devices useless. That’s why fully updated devices are still vulnerable because threat actors can replace patched software with vulnerable, old software.
Why UEFI Bootkits are a Threat?
UEFI bootkits are powerful threats because the UEFI has complete control over the operating system’s boot process. That is how it can disable various OS security mechanisms and deploy its own kernel-mode and user-mode payloads in early OS startup stages. This lets the attackers stealthily operate and gain high privileges.
How the Bootkit is Deployed?
The way this bootkit is deployed is unclear, but the attack chain involves an installer component that writes files to the EFI system partition and disables HVCI and BitLocker, after which it reboots the host.
BlackLotus disables protection solutions to deploy a kernel driver, which protects against the bootkit file deletion, and an HTTP loader. Conversely, the bootloader establishes communication with the control server and executes the payload.