BlackLotus Malware Bypasses UEFI Secure Boot

Description

UPDATE June 25, 2023: Updated the appendix to include a link to the "BlackLotus Mitigation Guide" published by the National Security Agency (NSA).

Why is this Significant?

This is significant because BlackLotus malware can bypass UEFI Secure Boot giving itself less chance to be detected as the malware is executed before the operating system and traditional OS-based security solutions start.

Also, BlackLotus was reportedly seen to be advertised and sold in underground forums as such use of BlackLotus will likely increase in attacks.

What is BlackLotus?

BlackLotus is a malware that can bypass UEFI Secure Boot feature to install itself and deploys a backdoor that allows an attacker to remotely control the compromised machines via remote commands.

BlackLotus leverages CVE-2022-21894 (Secure Boot Security Feature Bypass vulnerability) to bypass UEFI Secure Boot. While the vulnerability was patched by Microsoft in regular Patch Tuesday January 2022, reportedly it can still be exploitable as the affected signed binaries are not yet in the UEFI revocation list.

According to ESET, BlackLotus stops installation if machines' locales are set to Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.

How Widespread is BlackLotus?

There is no information available as to how widespread BlackLotus is. However, since the malware is being sold in underground forums, the use of BlackLotus is expected to pick up.

What is the Status of Protection?

FortiGuard Labs has the following AV signatures in place for the available samples in the report:

• W64/BlackLotus.A!tr
• W64/BlackLotus.B!tr
• W32/PossibleThreat

Appendix

BlackLotus UEFI bootkit: Myth confirmed (ESET)

BlackLotus Mitigation Guide (NSA)