For the bootkit to work, attackers use an old vulnerability, which, nevertheless, is still relevant on many computers.
A hidden bootkit called BlackLotus was the first widely known malware to be able to bypass Secure Boot protection in UEFI, making it a serious threat in cyberspace.
"This bootkit can run even on fully updated Windows 11 systems with UEFI Secure Boot enabled," ESET said in a report.
UEFI bootkits are deployed in the motherboard firmware and provide full control over the operating system boot process, allowing you to disable OS-level security mechanisms and deploy arbitrary payloads with high privileges during system startup.
Details about BlackLotus first surfaced in October 2022, when Sergey Lozhkin, a Kaspersky Lab researcher, described it as “sophisticated criminal software.”
In a nutshell, BlackLotus exploits the CVE-2022-21894 (aka Baton Drop) vulnerability to bypass UEFI Secure Boot protection and tweak its persistence on the victim's machine. Microsoft fixed this vulnerability back in January last year, but due to the fact that not everyone keeps their software up to date, millions of computers are still vulnerable to BlackLotus.
According to ESET, successful exploitation of the vulnerability allows the execution of arbitrary code at the early stages of computer boot, allowing an attacker to perform malicious actions on a system with UEFI Secure Boot enabled without physical access to it.
"This is the first publicly known use of this vulnerability," said Martin Smolar, researcher at ESET.
The exact way the bootkit is deployed is not yet known, but it starts with an installer component that is responsible for writing files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host. After the reboot, the bootkit itself is installed, and then it is automatically executed every time the system starts to deploy the kernel driver.
“Over the past few years, many critical vulnerabilities affecting the security of UEFI systems have been discovered. Unfortunately, due to the complexity of the entire UEFI ecosystem and problems with the update supply chain, many of these vulnerabilities remain relevant even long after the fix, ”concluded the ESET specialist.