BlackLotus Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/blacklotus/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Mon, 17 Jul 2023 19:37:32 +0000 en-US hourly 1 https://wordpress.org/?v=93811 200474804 Researchers Found BlackLotus UEFI Bootkit Sources on GitHub https://gridinsoft.com/blogs/blacklotus-bootkit/ https://gridinsoft.com/blogs/blacklotus-bootkit/#respond Mon, 17 Jul 2023 16:05:51 +0000 https://gridinsoft.com/blogs/?p=15985 The source code for the BlackLotus UEFI bootkit, which was previously sold on the dark web for $5,000, has been discovered by Binarly analysts on GitHub. The researchers say the leaked sources are not entirely complete and contain mostly a rootkit and a bootkit to bypass Secure Boot. What is BlackLotus bootkit? BlackLotus was first… Continue reading Researchers Found BlackLotus UEFI Bootkit Sources on GitHub

The post Researchers Found BlackLotus UEFI Bootkit Sources on GitHub appeared first on Gridinsoft Blog.

]]>
The source code for the BlackLotus UEFI bootkit, which was previously sold on the dark web for $5,000, has been discovered by Binarly analysts on GitHub. The researchers say the leaked sources are not entirely complete and contain mostly a rootkit and a bootkit to bypass Secure Boot.

What is BlackLotus bootkit?

BlackLotus was first spotted in October 2022. Its seller claimed that the bootkit had a built-in Secure Boot bypass, built-in Ring0/Kernel deletion protection, and also ran in recovery mode and safe mode. The malware is equipped with anti-virtualization, anti-debugging and obfuscation, which complicates its detection and analysis. Also, according to the seller, the security software cannot detect and destroy the bootkit, since it runs under the SYSTEM account inside a legitimate process.

BlackLotus darknet ad

In addition, BlackLotus is able to disable security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypass User Account Control (UAC). The payload has a size of 80 kilobytes, is written in assembler and C, and it can determine the geofence of the victim in order to avoid infecting machines in the CIS countries. Last year, the malware was offered for sale for $5,000, with each new version priced at another $200.

Later, the threat was studied by analysts from ESET. They confirmed that the bootkit easily bypasses Secure Boot and uses the Baton Drop vulnerability (CVE-2022-21894) from a year ago to gain a foothold in the system.

How does the exploit work?

It was highlighted that Microsoft fixed this issue back in January 2022, but attackers can still exploit it because the affected signed binaries were not added to the revocation list. According to analysts, BlackLotus is the first documented case of abuse of this vulnerability.

Later, Microsoft experts, during the analysis of devices compromised with BlackLotus, identified a number of features that make it possible to detect infection and described in detail possible indicators of compromise.

They also discovered that BlackLotus exploits another vulnerability, CVE-2023-24932, which is also related to bypassing Secure Boot protection. Although the bug was fixed in May of this year, this update was disabled by default, and Microsoft required Windows users to perform a very complicated manual installation of this fix.

Since the company warned that installing the patch incorrectly could cause Windows to stop starting and could not be restored even from installation media, many people chose not to install the patches, leaving devices vulnerable to attacks.

BlackLotus UEFI Bootkit Leaked to the GitHub

As Binarly experts now say, the BlackLotus source code was leaked to GitHub by a user under the nickname Yukari. He writes that the source code has been changed and no longer exploits the Baton Drop vulnerability. Instead, BlackLotus uses the bootlicker UEFI rootkit, which is based on the CosmicStrand, MoonBounce, and ESPECTRE UEFI APT rootkits.

BlackLotus Git Repository

The source code leak is incomplete and mainly contains a rootkit and bootkit code to bypass Secure Boot.Alex Matrosov, co-founder and head of Binarly, told Bleeping Computer.

He explains that the methods used in the bootkit are no longer new, but leaking the source code would allow attackers to easily combine the bootkit with new vulnerabilities, both known and unknown.

Most of these tricks and techniques have been known for a long time and do not pose a significant danger. However, the fact that they can be combined with new exploits, as the creators of BlackLotus did, came as a surprise to the industry and showed the limitations of existing OS protections.says Matrosov.

Since the BlackLotus UEFI Bootkit source code is now available to everyone, it is possible that with its help hackers will be able to create more powerful malware that can bypass existing and future measures to counter such threats.

The post Researchers Found BlackLotus UEFI Bootkit Sources on GitHub appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blacklotus-bootkit/feed/ 0 15985
Microsoft Told How to Detect the Installation of the BlackLotus UEFI Bootkit https://gridinsoft.com/blogs/uefi-bootkit-blacklotus/ https://gridinsoft.com/blogs/uefi-bootkit-blacklotus/#respond Fri, 14 Apr 2023 14:23:57 +0000 https://gridinsoft.com/blogs/?p=14202 Microsoft has shared a guide to help organizations detect the installation of the BlackLotus UEFI bootkit that exploits the CVE-2022-21894 vulnerability. The company also explained how best to restore an infected system. Let me remind you that we also wrote that Experts discovered ESPecter UEFI bootkit used for espionage. Let me remind you that BlackLotus… Continue reading Microsoft Told How to Detect the Installation of the BlackLotus UEFI Bootkit

The post Microsoft Told How to Detect the Installation of the BlackLotus UEFI Bootkit appeared first on Gridinsoft Blog.

]]>

Microsoft has shared a guide to help organizations detect the installation of the BlackLotus UEFI bootkit that exploits the CVE-2022-21894 vulnerability. The company also explained how best to restore an infected system.

Let me remind you that we also wrote that Experts discovered ESPecter UEFI bootkit used for espionage.

Let me remind you that BlackLotus was first seen in October 2022. Its seller claimed that the bootkit had a built-in Secure Boot bypass, built-in Ring0/Kernel deletion protection, and also ran in recovery mode and safe mode.

It was reported that the malware is equipped with anti-virtualization, anti-debugging and obfuscation, which complicates its detection and analysis. Also, according to the seller, the security software cannot detect and destroy the bootkit, since it runs under the SYSTEM account inside a legitimate process.

In addition, BlackLotus is able to disable security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypass User Account Control (UAC).

Black Lotus has a size of 80 kilobytes, is written in assembler and C, and can determine the geofence of the victim in order to avoid infecting machines in the CIS countries. Last year, the malware was offered for sale for $5,000, with each new version priced at another $200.

Later, the threat was studied by analysts from ESET. They confirmed that the bootkit easily bypasses Secure Boot and uses the CVE-2022-21894 vulnerability from a year ago to gain a foothold in the system.

It was highlighted that Microsoft fixed this issue back in January 2022, but attackers can still exploit it because the affected signed binaries were not added to the UEFI revocation list. According to analysts, BlackLotus is the first documented case of abuse of this vulnerability.

As Microsoft experts now say, during the analysis of devices compromised with BlackLotus, they identified a number of features that make it possible to detect infection. The researchers say defenders may be looking for signs of a BlackLotus installation in the following locations:

  1. newly created and locked bootloader files;
  2. the presence of an intermediate directory used during the installation of BlackLotus, in the EFI System Partition (ESP);
  3. changing the Hypervisor-protected Code Integrity (HVCI) registry key;
  4. online magazines;
  5. boot configuration logs.

BlackLotus UEFI bootkit
Registry changes

It is very important to note that the use of this bootkit by attackers is primarily an evasion and preservation mechanism. This is not a first-stage payload or initial access vector, the bootkit can only be deployed on a device to which the attacker has already gained either privileged or physical access.Microsoft said in a statement.

Analysts write that BlackLotus blocks files it writes to EFI (ESP), making them inaccessible. However, their names, creation time, and error messages received when trying to access them should indicate the presence of a bootkit, as well as the presence of a custom directory (/system32/) created and not deleted during installation.

BlackLotus UEFI bootkit
Timestamps for BlackLotus Boot Files

If recently modified and locked files are found in the device’s ESP, especially those that match known BlackLotus bootloader filenames, they should be considered highly suspicious. The device should be removed from the network to check for additional evidence of the presence of BlackLotus or follow-up actions after infection.Microsoft notes.

Defenders can also detect bootkit-related registry changes, log entries created when BlackLotus disables Microsoft Defender or adds components to the boot loop, and winlogon.exe’s persistent outgoing network connection on port 80, which also indicates an infection.

To clean up a machine previously infected with BlackLotus, experts recommend isolating it from the network, reformatting and installing a clean OS with an EFI partition, or restoring the system from a clean backup with an EFI partition.

To avoid being infected by BlackLotus or other malware that exploits the CVE-2022-21894 vulnerability, Microsoft recommends that organizations be mindful of the principle of least privilege and maintain credential hygiene.

Avoid using service accounts at the domain and administrator levels. Restricting local administrator privileges can help prevent the installation of Remote Access Trojans (RATs) and other unwanted applications.Microsoft says.

The post Microsoft Told How to Detect the Installation of the BlackLotus UEFI Bootkit appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/uefi-bootkit-blacklotus/feed/ 0 14202
BlackLotus UEFI Bootkit Bypasses Protection even in Windows 11 https://gridinsoft.com/blogs/blacklotus-uefi-bootkit/ https://gridinsoft.com/blogs/blacklotus-uefi-bootkit/#respond Mon, 06 Mar 2023 15:00:11 +0000 https://gridinsoft.com/blogs/?p=13637 ESET experts reported that the BlackLotus UEFI bootkit, which is sold on hacker forums for about $ 5,000, is indeed capable of bypassing Secure Boot protection. According to researchers, the malware poses a threat even to fully updated machines running Windows 11 with UEFI Secure Boot enabled. Let me remind you that we also wrote… Continue reading BlackLotus UEFI Bootkit Bypasses Protection even in Windows 11

The post BlackLotus UEFI Bootkit Bypasses Protection even in Windows 11 appeared first on Gridinsoft Blog.

]]>

ESET experts reported that the BlackLotus UEFI bootkit, which is sold on hacker forums for about $ 5,000, is indeed capable of bypassing Secure Boot protection.

According to researchers, the malware poses a threat even to fully updated machines running Windows 11 with UEFI Secure Boot enabled.

Let me remind you that we also wrote that Experts discovered ESPecter UEFI bootkit used for espionage, and also that The expert told how he hacked into a nuclear power plant.

BlackLotus was first spotted in October 2022. Its seller claimed that the bootkit had a built-in Secure Boot bypass, built-in Ring0/Kernel deletion protection, and also ran in recovery mode and safe mode.

In addition, the seller claimed that the malware is equipped with anti-virtualization, anti-debugging and obfuscation, which complicates its detection and analysis. Also, according to his statements, the security software cannot detect and destroy the bootkit, since it runs under the SYSTEM account inside a legitimate process.

In addition, Black Lotus is allegedly capable of disabling security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypassing User Account Control (UAC).

The experts who discovered it wrote that Black Lotus has a size of 80 kilobytes, is written in assembler and C, and can determine the geofence of the victim in order to avoid infecting machines in the CIS countries. The malware is offered for sale for $5,000, and each new version will cost another $200.

Let me remind you that at that time the experts admitted that all the above features of Black Lotus are nothing more than a publicity stunt, and in reality the bootkit is far from being so dangerous. Unfortunately, these assumptions were not confirmed.

As ESET information security experts, who have been studying the malware since last fall, now report, rumors that the bootkit easily bypasses Secure Boot “have now become a reality”. According to them, the malware uses a year-old vulnerability CVE-2022-21894 to bypass Secure Boot and gain a foothold in the system.

BlackLotus UEFI Bootkit
Chronology from vulnerability to bootkit

Microsoft fixed this issue back in January 2022, but attackers can still exploit it because the affected signed binaries were not added to the UEFI revocation list. According to analysts, this is the first documented case of abuse of this vulnerability.

Black Lotus takes advantage of this by adding its own copies of legitimate but vulnerable binaries to the system in order to exploit the vulnerability.ESET explains.

Most likely, information security specialists mean attacks like BYOVD – bring your own vulnerable driver.

Even worse, the PoC exploit for this vulnerability has been available since August 2022, so other cybercriminals may soon take advantage of the problem.

The exact way the bootkit is deployed is still unclear, but the attack begins with the installer component, which is responsible for writing files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host.

The researchers say that after exploiting CVE-2022-21894, Black Lotus disables protection mechanisms, deploys a kernel driver and an HTTP loader. The kernel driver, among other things, protects the bootkit files from deletion, while the bootloader communicates with the control server and executes the payload.

BlackLotus UEFI Bootkit

While the researchers do not link the malware to any particular hack group or government, they note that the Black Lotus installers they analyzed will not work if the infected computer is located in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

The post BlackLotus UEFI Bootkit Bypasses Protection even in Windows 11 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/blacklotus-uefi-bootkit/feed/ 0 13637