A dangerous bootkit has been spotted on the dark web that is capable of bypassing cybersecurity solutions and installing all sorts of malware on a vulnerable endpoint.
A new report from cybersecurity experts ESET claims the bootkit is, most likely, BlackLotus, an infamous piece of malware being sold on the dark web for roughly $5,000.
Not only can BlackLotus bypass antivirus programs, but it can also run on fully updated Windows 11 devices, with UEFI Secure Boot enabled.
Sparing Russia and its neighbors
To make the bootkit work, its makers exploited CVE-2022-21894, a known vulnerability that Microsoft patched more than a year ago. However, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list, ESET explained (opens in new tab). That means BlackLotus can bring its own copies of legitimate, vulnerable binaries, and then exploit the flaw.
After disabling the antivirus (which even includes Windows Defender), the bootkit can deploy a downloader which can then install other malicious payloads. The researchers also spotted that the installer spares devices located in Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.
BlackLotus has been making rounds on the dark web, being sold for roughly $5,000. However, many researchers believed the ads were a fake, and that the malware didn’t really exist.
“We can now present evidence that the bootkit is real, and the advertisement is not merely a scam,” says ESET researcher Martin Smolár. “The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”
The ability to control the entire OS boot process makes UEFI bootkits an extremely potent weapon, ESET concluded. Threat actors that successfully deploy it can operate on the target endpoint stealthily, and with high privileges. So far, a handful of UEFI bootkits were observed in the wild.
“The best advice, of course, is to keep your system and its security product up to date to raise the chance that a threat will be stopped right at the beginning, before it’s able to achieve pre-OS persistence,” Smolár concluded.
