A cybercriminal is selling a new UEFI bootkit, named BlackLotus, on hacking forums. The bootkit, as per claims, is a malicious tool with state-backed threat actors-like capabilities.

The BlackLotus bootkit

According to the malware developer, the license for BlackLotus costs around $5,000, while the rebuilds are priced at $200. 
  • The bootkit has an 80 Kb size on disk after installation and can disable Windows security protection, such as Hypervisor-Protected Code Integrity and Windows Defender, and bypass User Account Control.
  • Its key capabilities include integrated Secure Boot bypass and Ring0/Kernel protection against removal.
  • Additionally, the bootkit has anti-VM, anti-debug, and code obfuscation features to block malware analysis attempts.

Security software cannot spot and stop the bootkit as it runs under the SYSTEM account inside a genuine process. Moreover, the malware can work in recovery or safe mode as well.

An advanced malware

The bootkit is equipped with an advanced capability that is often observed within state-sponsored hacking groups.
  • The malware is independent of the Secure Boot bypass functionality. If the target system has Secure Boot, a vulnerable signed bootloader is used to load the bootkit.
  • Moreover, it is not possible to patch the above-mentioned flaw by adding it to the UEFI revocation list, since this vulnerability affects the bootloader that is still in use by thousands of organizations.
  • Further, BlackLotus can be used to load unsigned drivers used in Bring Your Own Driver attacks.

Conclusion

Researchers spotted BlackLotus being promoted on criminal forums and stated that it is a serious concern. The malware makes it possible for anyone with deep pockets to obtain APT-level capabilities immediately. It comes with a full set of backdoor capabilities and can target IT/OT environments. Security teams and analysts must watch out for this threat.
Cyware Publisher

Publisher

Cyware