WeLiveSecurity, the security research wing of ESET anti-malware, released its report on the BlackLotus security vulnerability yesterday. While this security flaw is not exactly new, as it has been doing rounds on the internet since around the middle of last year, what makes this bootkit dangerous is its ability to bypass Secure Boot systems even on fully updated Windows 11 systems (which means previous Windows versions may be vulnerable as well).
And it does not stop there of course, as BlackLotus also makes modifications to the registry to disable Hypervisor-protected Code Integrity (HVCI), which is a Virtualization-based Security (VBS) feature; as well as BitLocker encryption. It also disables Windows Defender by manipulating the Early Launch Anti-Malware (ELAM) driver and Windows Defender file system filter driver. The ultimate purpose is to deploy an HTTP downloader which delivers the malicious payloads.
This bootkit exploit is a year old security boot vulnerability under CVE-2022-21894. Although this vulnerability was already patched last year in January, ESET notes that the exploitation of this is still possible as signed binaries have not yet been added to the UEFI revocation list.
Here is summary of the BlackLotus bootkit according to ESET:
It’s capable of running on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.
It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability.
Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.
It’s capable of disabling OS security mechanisms such as BitLocker, HVCI, and Windows Defender.
Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads.
You can find more technical details on ESET's official blog post here.