A malicious actor is selling on hacking forums what he claims is a new UEFI bootkit named BlackLotus, a malicious tool with capabilities typically linked to state-sponsored threat groups.
UEFI bootkits are implanted into the system firmware and are invisible to security software running within the operating system, as the malware loads during the initial phase of the boot sequence.
While cybercriminals who want a license for this Windows bootkit have to pay $5,000, the threat actor claims that rebuilds would only cost them $200.
The seller states that BlackLotus has a built-in secure boot bypass, built-in Ring0/Kernel deletion protection, and will boot in recovery or safe mode.
BlackLotus claims to offer anti-virtual machine (anti-VM), anti-debugging, and code obfuscation features to block malware scanning attempts. The vendor also claims that the security software cannot detect and kill the bootkit because it is running under the SYSTEM account as part of a legitimate process.
In addition, this tiny bootkit with a size of only 80 KB on disk after installation can disable Windows built-in security protection, such as Hypervisor Protected Code Integrity (HVCI) and Windows Defender, and bypass User Account Control (UAC).
“The software itself and the Secure Boot bypass work independently of the vendor. A vulnerable signed bootloader is used to load the bootkit if Secure Boot is used,” the threat actor explained when a “customer” potential asked if it would work with a particular firmware.
“Fixing this vulnerability by adding it to the UEFI revocation list is currently not possible, as the vulnerability affects hundreds of boot loaders that are still in use today.”
APT-level malware is now more widely available
Kaspersky senior security researcher Sergey Lozhkin also spotted BlackLotus being advertised on criminal forums and warned that it was a big move, as this kind of capability was not generally only available to state-sponsored hacking groups.
“Previously, these threats and technologies were only available to the guys who developed advanced persistent threats, mostly governments. Today, these kind of tools are in the hands of criminals all over the forums,” Sergey said. Lozhkin, senior security researcher at Kaspersky. said Last week.
Other security analysts have called the wide availability of BlackLotus to any cybercriminal with deep enough pockets a leap towards greater availability of APT-level capabilities in off-the-shelf malware.
“I’ve reviewed its features and capabilities and right off the bat these are the highlights that every blue team and every red team should be fully aware of,” Eclypsium CTO Scott Scheferman also said. warned.
“Given that this trade was once relegated to APTs like Russian GRU and APT 41 (China Link), and given previous criminal discoveries we’ve made (e.g. Trickbot’s Trickboot module), this represents a bit of a “leap forward”, in terms of ease of use, scalability, accessibility, and more importantly the potential for much greater impact in the form of persistence, evasion and/or destruction.”
However, Scheferman said that until a sample is found, there’s no way to tell if the feature set is complete or even production-ready.
“It should also be noted that until we or someone gets a sample of this malware and runs it on a box near production in a lab, there is always a chance that it may not be ready for show time yet, or some aspect of its features may not work properly, or even the possibility that this is all a scam,” he added.
If confirmed, this would be a worrying trend given that BlackLotus can also be used to load unsigned drivers that could be used in Bring Your Own Driver (BYOVD) attacks.