The builders of the BlackLotus UEFI bootkit have improved the malware with Safe Boot bypass capabilities that permit it to contaminated even totally patched Home windows 11 techniques.

BlackLotus is the primary public instance of UEFI malware that may keep away from the Safe Boot mechanism, thus having the ability to disable safety protections that include the working system.

The malware may very well be used to impair the BitLocker information safety function, the Microsoft Defender Antivirus, and the Hypervisor-protected Code Integrity (HVCI) – often known as the Reminiscence Integrity function that protects towards makes an attempt to use the Home windows Kernel.

The Unified Extensible Firmware Interface (UEFI) is the software program that connects the working system with the {hardware} that runs it.

It’s low-level code that executes when the pc powers up and dictates the booting sequence earlier than the working system begins any of its routines.

BlackLotus commodity bootkit

The BlackLotus UEFI malware emerged final yr promoted on hacking boards with a function set that makes it nearly invisible to antivirus brokers put in on the compromised host.

The advertiser mentioned that the malware takes solely 80kb after set up and the price of a license was $5,000, though rebuilds had been accessible for simply $200.

In a report this week, safety researchers at ESET confirmed that the malware features precisely as marketed and it may bypass the Safe Boot mechanism by leveraging a vulnerability from final yr tracked as CVE-2022-21894.

Extra details about why the safety updates for CVE-2022-21894 do not block this malware is offered beneath.

Their investigation began from an HTTP downloader that turned out to be the BlackLotus UEFI bootkit user-mode part, which communicates with the command and management (C2) server and may load different payloads (consumer/kernel-mode).

BlackLotus an infection chain

ESET malware researcher Martin Smolár notes that the assault begins with executing an installer that deploys the bootkit’s information to the EFI system partition, disables the HVCI and BitLocker protections, and reboots the host.

The attacker depends on reputable binaries susceptible to CVE-2022-21894 (Home windows Hypervisor Loader, Home windows Boot Supervisor, PE binaries) and their customized Boot Configuration Information (BCD).

Persistence on machines with UEFI Safe Boot enabled is achieved after the preliminary reboot by exploiting CVE-2022-21894 and enrolling the attacker’s Machine Proprietor Key (MOK).

The self-signed UEFI bootkit is launched after one other reboot and the malicious kernel driver and the HTTP downloader are deployed to finish the malware set up.

Among the many artifacts found within the BlackLotus code there are references to the Higurashi When They Cry anime collection, together with the names of two parts and the issuer of the self-signed certificates for the bootkit binary.

One other reference the writer of BlackLotus left within the malware code is in unused strings that decrypt into messages to Polish malware analyst Aleksandra Doniec.

Bug patched, safety danger persists

ESET says that the BlackLotus installer might be both on-line or offline, the distinction between them is that the offline variants carry the susceptible Home windows binaries.

The net model of the installer downloads the Home windows binaries “straight from the Microsoft image retailer.”

The researchers noticed the three information beneath being abused by the bootkit:

• https://msdl.microsoft.com/obtain/symbols/bootmgfw.efi/7144BCD31C0000/bootmgfw.efi
• https://msdl.microsoft.com/obtain/symbols/bootmgr.efi/98B063A61BC000/bootmgr.efi
• https://msdl.microsoft.com/obtain/symbols/hvloader.efi/559F396411D000/hvloader.Efi

Smolár explains that exploiting CVE-2022-21894 is what permits BlackLotus to bypass Safe Boot and set up persistence after disabling HVCI (to load unsigned kernel code) and BitLocker (to permit modifying the boot chain with out triggering the restoration process on techniques with the Trusted Platform Module (TPM) {hardware} part):

1. Exploiting CVE-2022-21894 to permit bypassing Safe Boot and putting in the bootkit. Arbitrary code can then be executed in early boot phases, the place the platform remains to be owned by firmware and UEFI Boot Providers features are nonetheless accessible. This permits attackers to do many issues that they shouldn’t be capable of do on a machine with UEFI Safe Boot enabled with out having bodily entry to it, resembling modifying Boot-services-only NVRAM variables. And that is what attackers benefit from to arrange persistence for the bootkit within the subsequent step.
2. Setting persistence by writing its personal MOK to the MokList, Boot-services-only NVRAM variable. By doing this, it may use a reputable Microsoft-signed shim for loading its self-signed (signed by the personal key belonging to the important thing written to MokList) UEFI bootkit as a substitute of exploiting the vulnerability on each boot.

To notice, proof of idea (PoC) exploit code for CVE-2022-21894 has been publicly accessible for greater than half a yr, since August 2022. Nevertheless, the safety problem has been largely ignored.

Microsoft addressing the vulnerability in June 2022 was not sufficient to shut the safety hole as a result of the UEFI DBX (UEFI revocation record) has but to be up to date with the untrusted keys and binary hashes utilized in booting techniques which have Safe Boot enabled.

Final yr, researchers disclosed a number of UEFI vulnerabilities [1, 2] that may be leveraged to disable Safe Boot. Nevertheless, a few of them can nonetheless be exploited resulting from distributors not supporting affected units, incorrect patching, or not patching in any respect.

Smolár says that these failures had been certain to draw the eye of a menace actor and result in the creation of a highly-capable UEFI bootkit.

UEFI malware

UEFI bootkits are on the reverse finish of run-of-the-mill malware. They’re uncommon findings seen in assaults attributed to superior menace actors engaged on behalf of a nation-state.

Though proof-of-concept bootkits have existed since 2013 (e.g. DreamBoot) and malicious EFI bootloaders that prevented the machine from booting had been present in 2020, the record of full-blown bootkits utilized in real-world assaults is extremely brief:

• FinSpy – a part of the homonymous surveillance toolset (a.okay.a. FinFisher, WingBird)
• ESPecter – a patched Home windows Boot Supervisor on the EFI (Extensible Firmware Interface) system partition
• CosmicStrand/Spy Shadow Trojan – a UEFI menace that hid within the firmware photos of ASUS and Gigabyte motherboards to deploy a kernel-level implant each time the compromised Home windows machine booted

The data for the bigger class of UEFI malware, which additionally consists of rootkits or firmware implants, shouldn’t be a lot bigger.

In 2018 ESET uncovered the LoJax UEFI rootkit utilized by the Russian hackers within the APT28 group (Sednit/Fancy Bear/Sofacy).

Two years later, Kaskpersky revealed a report concerning the MosaicRegressor rootkit that served Chinese language-speaking hackers in information theft and espionage operations in 2019.

In early 2022, one other UEFI firmware implant was disclosed. MoonBounce was attributed to the Chinese language-speaking group APT41/Winnti.

Nevertheless, BlackLotus is the primary ever publicly disclosed UEFI bootkit that bypasses Safe Boot and is related to the cybercriminal world.