Cybersecurity firm ESET recently reported the discovery of a UEFI bootkit called BlackLotus, capable of bypassing the critical UEFI Secure Boot feature. This dangerous bootkit can operate on fully-up-to-date Windows 11 systems with Secure Boot enabled. Researchers believe that BlackLotus has been sold on hacking forums for $5,000 as early as October 2022.
UEFI bootkits pose a significant risk due to their ability to control the OS boot process, disabling various security mechanisms and deploying payloads in the early stages of OS startup. These threats operate with high privileges and stealth. However, only a few UEFI bootkits have been discovered and publicly described thus far.
Although UEFI bootkits may be less stealthy than firmware implants, they offer similar capabilities without needing to bypass multilevel SPI flash defenses or hardware protections. Unfortunately, several known vulnerabilities can still bypass UEFI Secure Boot, including the one exploited by BlackLotus.
ESET’s investigation began with the detection of the BlackLotus user-mode component—an HTTP downloader—in late 2022. Subsequent analysis led to the discovery of six BlackLotus installers, revealing the bootkit’s entire execution chain.
Microsoft has also acknowledged the threat posed by BlackLotus, noting that it exploits CVE-2022-21894. UEFI bootkits like BlackLotus are particularly dangerous because they can interfere with or deactivate various OS security mechanisms, such as BitLocker, hypervisor-protected code integrity (HVCI), and Microsoft Defender Antivirus. However, some artifacts can still be used to identify affected devices.
It’s important to note that BlackLotus is primarily a persistence and defense evasion mechanism, not a first-stage payload or initial access vector. The malware can only be deployed on a device where a threat actor has already gained privileged or physical access. By leveraging CVE-2022-21894, BlackLotus can achieve persistence, turn off HVCI, deploy a malicious kernel driver, and disable BitLocker and Microsoft Defender Antivirus.
Organizations should adopt recovery and prevention strategies to protect their environments from the dangers posed by BlackLotus and similar UEFI bootkits.
Microsoft has also provided guidance for investigating BlackLoutus here.