It is discovered that the terrible malware 'BlackLotus' that bypasses the UEFI secure boot of Windows 11 and hijacks the PC is sold for less than 700,000 yen
UEFI is a software interface specification that replaces the conventional BIOS , and defines a protocol called secure boot that checks whether it has been tampered with before the OS starts. Researchers at cyber security company ESET have launched a boot kit called `` BlackLotus '', which is said to allow hackers to ``bypass the security protection of Windows 11, install malware, and take complete control of vulnerable PCs''. I reported that it is selling for $ 5000 (about 680,000 yen).
BlackLotus UEFI bootkit: Myth confirmed | WeLiveSecurity
BlackLotus bootkit can bypass Windows 11 Secure Boot: ESET | CSO Online
It's official: BlackLotus malware can bypass secure boot • The Register
Dangerous BlackLotus bootkit can be used to hijack Windows 11 PCs | Tom's Guide
An ESET research team has announced that a UEFI bootkit called BlackLotus can bypass the security-critical feature UEFI Secure Boot and take full control of a vulnerable PC.
#ESETResearch analyze first in-the-wild UEFI bootkit bypassing UEFI Secure Boot even on fully updated Windows 11 systems. Its functionality indicates it is the #BlackLotus UEFI bootkit, for sale on hacking forums since at least Oct 6, 2022. @smolar_m https ://t.co/mXSXksRisG 1/11—ESET Research (@ESETresearch) March 1, 2023
UEFI Secure Boot is a protocol designed to ensure that the system only boots to trusted software and firmware, preventing infection by running malware and loading an unauthorized OS before the OS boots. is supposed to be malware that bypasses this Secure Boot by infecting the computer's boot process.
BlackLotus exploits a security vulnerability named CVE-2022-21894, discovered in December 2021, to bypass the UEFI Secure Boot process and establish persistence to the target PC. Microsoft released a patch for this vulnerability in January 2022, but according to ESET, hackers can still exploit this vulnerability because the affected binaries have not been added to the UEFI revocation list .
Although the vulnerability was fixed in Microsoft's January 2022 update, its exploitation is still possible by bringing vulnerable drivers to the system, as the affected binaries have still not been added to the UEFI revocation list. https://t.co/eMAccxVNwM 3/ 11—ESET Research (@ESETresearch) March 1, 2023
Additionally, BlackLotus can disable built-in Windows security protections such as Hypervisor-protected Code Integrity (HVCI), BitLocker, Windows Defender, and bypass User Account Control (UAC). 7/11 pic.twitter.com/kuPKMMs3uZ—ESET Research (@ESETresearch) March 1, 2023
The main purpose of BlackLotus is believed to be to deploy its own kernel drivers inside the computer to protect the kernel from security guards trying to keep rogue bootkits out. BlackLotus also deploys HTTP downloaders that can load specific usermodes and kernelmodes.
Once installed, the bootkit's main goal is to deploy a kernel driver (which, among other things, protects the bootkit against removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads 5/11 pic.twitter.com/3zwY703rGj—ESET Research (@ESETresearch) March 1, 2023
According to ESET, BlackLotus has been sold by hackers for $5,000 (about 680,000 yen) since around October 2022, and it has been pointed out that it may be used for hacking and spying activities against the government. Technology news media Tom's Guide said, ``BlackLotus is certainly dangerous, but ordinary hackers already have a lot of malware for general users.Therefore, BlackLotus is basically used to target large companies and government agencies. It could be,” he said.
ESET recommends keeping your system and security software up to date to protect your OS and PC from BlackLotus and other threats.