April 13, 2024

Mar 01, 2023Ravie LakshmananEndpoint Safety / Cyber Risk

UEFI Bootkit Malware

A stealthy Unified Extensible Firmware Interface (UEFI) bootkit referred to as BlackLotus has grow to be the primary publicly identified malware able to bypassing Safe Boot defenses, making it a potent risk within the cyber panorama.

“This bootkit can run even on absolutely up-to-date Home windows 11 methods with UEFI Safe Boot enabled,” Slovak cybersecurity firm ESET said in a report shared with The Hacker Information.

UEFI bootkits are deployed within the system firmware and permit full management over the working system (OS) boot course of, thereby making it doable to disable OS-level safety mechanisms and deploy arbitrary payloads throughout startup with excessive privileges.

Provided on the market at $5,000 (and $200 per new subsequent model), the highly effective and chronic toolkit is programmed in Meeting and C and is 80 kilobytes in dimension. It additionally options geofencing capabilities to keep away from infecting computer systems in Armenia, Belarus, Kazakhstan, Moldova, Romania, Russia, and Ukraine.

Particulars about BlackLotus first emerged in October 2022, with Kaspersky safety researcher Sergey Lozhkin describing it as a classy crimeware resolution.

“This represents a little bit of a ‘leap’ ahead, by way of ease of use, scalability, accessibility, and most significantly, the potential for far more impression within the types of persistence, evasion, and/or destruction,” Eclypsium’s Scott Scheferman noted.

BlackLotus, in a nutshell, exploits a safety flaw tracked as CVE-2022-21894 (aka Baton Drop) to get round UEFI Safe Boot protections and arrange persistence. The vulnerability was addressed by Microsoft as a part of its January 2022 Patch Tuesday replace.

A profitable exploitation of the vulnerability, in keeping with ESET, permits arbitrary code execution throughout early boot phases, allowing a risk actor to hold out malicious actions on a system with UEFI Safe Boot enabled with out having bodily entry to it.

UEFI Bootkit Malware

“That is the primary publicly identified, in-the-wild abuse of this vulnerability,” ESET researcher Martin Smolár stated. “Its exploitation remains to be doable because the affected, validly signed binaries have nonetheless not been added to the UEFI revocation list.”

“BlackLotus takes benefit of this, bringing its personal copies of legit – however susceptible – binaries to the system so as to exploit the vulnerability,” successfully paving the way in which for Carry Your Personal Weak Driver (BYOVD) assaults.

In addition to being outfitted to show off safety mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Home windows Defender, it is also engineered to drop a kernel driver and an HTTP downloader that communicates with a command-and-control (C2) server to retrieve further user-mode or kernel-mode malware.

The precise modus operandi used to deploy the bootkit is unknown as but, nevertheless it begins with an installer element that is liable for writing the recordsdata to the EFI system partition, disabling HVCI and BitLocker, after which rebooting the host.

The restart is adopted by the weaponization of CVE-2022-21894 to attain persistence and set up the bootkit, after which it’s routinely executed on each system begin to deploy the kernel driver.

Whereas the motive force is tasked with launching the user-mode HTTP downloader and working next-stage kernel-mode payloads, the latter is able to executing instructions obtained from the C2 server over HTTPS.

This contains downloading and executing a kernel driver, DLL, or a daily executable; fetching bootkit updates, and even uninstalling the bootkit from the contaminated system.

“Many crucial vulnerabilities affecting safety of UEFI methods have been found in the previous few years,” Smolár stated. “Sadly, due the complexity of the entire UEFI ecosystem and associated supply-chain issues, many of those vulnerabilities have left many methods susceptible even a very long time after the vulnerabilities have been mounted – or no less than after we had been informed they had been mounted.”

“It was only a matter of time earlier than somebody would reap the benefits of these failures and create a UEFI bootkit able to working on methods with UEFI Safe Boot enabled.”

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.