BlackLotus Malware Successfully Bypasses Secure Boot on Windows 11, Becoming First UEFI Bootkit

Today marks a significant milestone in the cyber threat landscape, as the first publicly known malware capable of bypassing Secure Boot defenses has been discovered. Dubbed BlackLotus, the stealthy Unified Extensible Firmware Interface (UEFI) bootkit is being offered for sale at $5,000 and is programmed in Assembly and C.

According to ESET, a Slovak cybersecurity company, BlackLotus is capable of running on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled. It takes advantage of a security flaw tracked as CVE-2022-21894 (aka Baton Drop) to get around UEFI Secure Boot protections and set up persistence. The vulnerability was addressed by Microsoft as part of its January 2022 Patch Tuesday update.

The powerful and persistent toolkit is 80 kilobytes in size and features geofencing capabilities to avoid infecting computers in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine. It exploits the vulnerability to achieve persistence and install the bootkit, after which it is automatically executed on every system start to deploy a kernel driver. This driver is responsible for launching a user-mode HTTP downloader and running next-stage kernel-mode payloads.

“This represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility, and most importantly, the potential for much more impact in the forms of persistence, evasion, and/or destruction,” said Scott Scheferman of Eclypsium.

“Unfortunately, due the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left many systems vulnerable even a long time after the vulnerabilities have been fixed – or at least after we were told they were fixed,” noted Martin Smolár of ESET. “It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled.”