ESET announced it has identified and analyzed 6 installers for the BlackLotus bootkit malware. This malware, which leverages the year old Windows vulnerability CVE-2022-21894 to bypass secure boot, allows it to infect even a fully patched Windows 11 device. In January 2022’s patch release, Microsoft published updates to fix the issue, but since their update didn’t include “validly signed binaries”, it allows an attacker to drop it’s own vulnerable versions of the binaries and compromise the system. In August 2022, a Proof of Concept was published to GitHub for the exploitation of CVE-2022-21894, and the UEFI bootkit has been for sale on hacking forums since October 2022. Until the UEFI revocation list is updated to add validly signed binaries, all versions of Windows listed on Microsoft’s Advisory are still vulnerable. BlackLotus takes this further and deploys a kernel driver to prevent removal, installs a HTTP downloader for Command and Control communication/payload delivery, and protects handles for the bootkit’s files by triggering a Blue Screen of Death if the handles are closed.
Link to Microsoft’s Advisory: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21894
Link to ESET’s News Release: https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-analyzes-blacklotus-a-uefi-bootkit-that-can-bypass-uefi-secure-boot-on-fully-patched-s/