Explore MoonBounce UEFI Bootkit Malware: Uncover its origins, impact, and defense strategies against this digital threat.
Just last spring, researchers spotted a new UEFI bootkit that disables built-in Windows security tools and bypasses User Account Control, that malware, called MoonBounce, resides on a low-level portion of the hard drive and thus goes undetected by traditional security products.
ESET researchers have now found another such UEFI bootkit being sold on hacking forums, named BlackLotus. The malware exploits a more than year-old vulnerability tracked as CVE-2022-21894 to bypass security and establish persistence.
What is BlackLotus?
BlackLotus is the first-known malware in the wild to bypass UEFI Secure Boot and run on fully patched Windows 11 systems. It’s being sold on hacking forums for $5,000 and uses a more than one-year-old vulnerability, tracked as CVE-2022-21894, to bypass UEFI security features and set up persistence.
Once BlackLotus bypasses the system’s UEFI security tools, it starts its work by executing a kernel driver and an HTTP downloader on the computer. The kernel driver, among other things, protects the bootkit files from removal, and the HTTP downloader communicates with a command-and-control server to execute payloads.
The researchers also uncovered some DNS queries that appear to be sent by BlackLotus. Those queries start with a unique ID, which is chosen from a set of upper- and lower-case letters, as well as a location or descriptor field. Decoded values such as “PING” and “BACKTT” have been observed in the queries, as well as a value such as “TERMINAL1,” which was seen in the list of processes to examine in earlier versions of BlackLotus.
Using this information, the researchers can trace where BlackLotus is originating. The installers they analyzed won’t proceed if the compromised machine is located in Armenia, Belarus, Kazakhstan, Moldova, Russia or Ukraine. This is a clear indication that the malware targets government and military assets.
BlackLotus can disable OS security mechanisms such as BitLocker disk encryption, Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, and bypass User Account Control. It can also install a rogue kernel driver and gain root privileges to steal data or perform other malicious activities. Black Lotus Labs doesn’t attribute the threat to a specific gang or nation-state group, but they do believe the attacks are part of a targeted campaign against perceived high-value networks.
How is BlackLotus able to bypass Secure Boot?
BlackLotus is the first-known real-world bootkit capable of bypassing UEFI Secure Boot protections. It does so by loading code ahead of the operating system on compromised PCs, allowing it to disable OS security mechanisms such as BitLocker disk encryption and Hypervisor-Protected Code Integrity.
The malware exploits a more than one-year-old vulnerability tracked by Microsoft as CVE-2022-21894. It uses this flaw to bypass UEFI Secure Boot and set up persistence, even on fully patched Windows 11 systems. It injects its own copy of the vulnerable binary into a computer’s ESP, ESET researchers say.
Once the UEFI bootloader is loaded, the malware deploys a kernel driver (that protects it from removal) and an HTTP downloader that can communicate with its Command and Control server and load additional user-mode or kernel-mode payloads. Additionally, the installers ESET analyzed do not proceed with the bootkit installation if they detect locales from Armenia, Belarus, Moldova, Russia, or Ukraine, suggesting that some of the attackers behind this threat are Russian.
To mitigate this zero-day vulnerability, all affected customers should install the May 9, 2023 Windows security update, which also includes patches for other vulnerabilities. This will also ensure that a more up-to-date version of the UEFI bootloader is installed, ESET says.
What are the key features of BlackLotus?
BlackLotus is an Unified Extensible Firmware Interface (UEFI) bootkit, a type of malware that can be deployed in system firmware and take full control of the OS startup process to disable security mechanisms or deploy arbitrary payloads with high privileges. This means that a threat actor can gain lateral movement within an organization by exploiting a zero-day vulnerability, bypassing security products with the bootkit and then using legitimate drivers to hide malicious activities on the compromised machine.
The BlackLotus bootkit was discovered in late 2022, and is the first known highly evasive UEFI bootkit to bypass and evade significant security mechanisms. The bootkit is designed to turn off protections like BitLocker, Hypervisor-protected Code Integrity (HVCI), Windows Defender, and more. It also has kernel driver-level persistence, as well as an HTTP downloader component that can communicate with a command and control (C2) server to obtain additional user-mode or kernel-mode malware.
Unlike previous UEFI bootkits that relied on the kernel to achieve persistence, BlackLotus takes advantage of a specific hardware feature of many motherboards. This feature enables the bootkit to load its own drivers in the EFI system partition without the need of the kernel. This enables the bootkit to avoid detection by security products that rely on signature-based detection methods, such as UEFI Secure Boot.
To achieve this, the bootkit weaponizes a legacy Secure Boot vulnerability tracked by Microsoft as CVE-2022-21894, or “Baton Drop,” which was patched in January of 2022. Once BlackLotus has successfully accessed live memory, it then uses its own copies of the vulnerable driver to install itself in the EFI system partition, allowing it to persist even after the reboots caused by a UEFI update.
Threat hunters can detect a BlackLotus infection by monitoring for the presence of bootloader files written to the EFI system partition, as well as staging directory artifacts, modified registry entries, network behavior, and generated Windows Event and Boot Configuration log entries. Microsoft recommends that a device suspected of being infected by BlackLotus should be removed from the network, reformatted, and restored from a clean backup that includes the EFI partition.
How can BlackLotus be detected?
BlackLotus is the first known in-the-wild bootkit to bypass UEFI Secure Boot and set up persistence on compromised systems, ESET researchers say. This malware is sold on hacking forums for $5,000 and can run even on fully patched Windows 11 systems with UEFI Secure Boot enabled, the company notes.
It evades the UEFI boot process by loading up before anything else in the system, including the operating system and security tools that would detect or stop it. It also enables attackers to use powerful evasion, persistence and Command-and-Control (C2) techniques, such as deploying malicious kernel drivers and disabling BitLocker disk encryption and Microsoft Defender antivirus protection, the experts note.
The threat leverages a more than one-year-old vulnerability, tracked as CVE-2022-21894, to bypass the UEFI Secure Boot feature and establish persistence on compromised systems. While Microsoft fixed this flaw in January, miscreants continue to exploit it because the affected signed binaries have not been added to the UEFI revocation list, researchers explain.
Once a system is infected, BlackLotus deploys a kernel driver and an HTTP downloader responsible for communicating with the command-and-control server and executing additional user-mode or kernel-mode payloads, the analysts report. The malware can disable OS security mechanisms such as BitLocker, Hypervisor-protected Code Integrity and Windows Defender, and bypass User Account Control to operate stealthily with high privileges.
While researchers don’t attribute the attackers behind the attack to a particular gang or nation-state group, they point out that BlackLotus installers won’t proceed with the installation of the bootkit on a system if it is located in Armenia, Belarus, Kazakhstan, Moldova or Russia. This indicates the hackers behind the attack may be targeting this region, ESET suggests.