![]() The restart is followed by the weaponization of CVE-2022-21894 to achieve persistence and install the bootkit, after which it is automatically executed on every system start to deploy the kernel driver. The exact modus operandi used to deploy the bootkit is unknown, but it starts with an installer component that’s responsible for writing the files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host. This effectively paves the way for Bring Your Own Vulnerable Driver (BYOVD) attacks.īesides being equipped to turn off security mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender, BlackLotus is also engineered to drop a kernel driver and a Hypertext Transfer Protocol (HTTP) downloader that communicates with a command-and-control (C2) server to retrieve additional user-mode or kernel-mode malware. Successful exploitation of the vulnerability allows arbitrary code execution during early boot phases, permitting a threat actor to carry out malicious actions on a system with UEFI Secure Boot enabled without having physical access to it.īlackLotus takes advantage of this vulnerability by bringing its own copies of legitimate but vulnerable binaries to the system to exploit the vulnerability. The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update. Baton Drop) to get around UEFI Secure Boot protections and set up persistence. BlackLotus Technical Details:īlackLotus exploits a security flaw tracked as CVE-2022-21894 (a.k.a. It is 80 kilobytes in size and features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine. This allows attackers to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges.**īlackLotus is offered for sale at $5,000 (and $200 per new subsequent version) and is programmed in Assembly and C languages. UEFI bootkits are deployed in the system firmware and allow full control over the operating system (OS) boot process. Secure Boot uses digital signatures to verify the integrity of the firmware and operating system (OS) boot loaders before they are executed, preventing unauthorized code from running at boot time.*īlackLotus was first publicly known in October 2022, and it is the first known malware that can bypass Secure Boot protections on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled. Secure Boot is a security feature in modern computer systems that ensures that only trusted software is loaded during the boot process. Rationalize Your Cybersecurity SpendingīlackLotus is a stealthy Unified Extensible Firmware Interface (UEFI) bootkit, which is a type of malware that can bypass Secure Boot defenses, making it a potent threat in the cyber landscape. ![]()
0 Comments
Leave a Reply. |