A dangerous bootkit has been spotted on the dark web that is able to bypass cyber security solutions and install all kinds of malware on a vulnerable endpoint.
A new report by ESET cybersecurity experts claims that the bootkit is most likely BlackLotus, the infamous malware sold on the dark web for around $5,000.
Not only can BlackLotus bypass antivirus programs, it can also run on fully updated Windows 11 devices with UEFI Secure Boot enabled.
Sparing Russia and its neighbors
To make the bootkit work, its developers exploited CVE-2022-21894, a known vulnerability that Microsoft patched over a year ago. However, its exploitation is still possible as the properly signed affected binaries are still not added to the UEFI revocation list, ESET explained (opens in a new tab). This means that BlackLotus could bring their own copies of legitimate, vulnerable binaries and then exploit the vulnerability.
When antivirus (including Windows Defender) is disabled, the bootkit can deploy a downloader, which can then install other harmful payloads. Researchers also noted that the installer saves devices located in Armenia, Belarus, Kazakhstan, Moldova, Russia and Ukraine.
BlackLotus is circulating on the dark web and is selling for around $5,000. However, many researchers believed that the ads were fake and that the malware did not really exist.
“We can now provide evidence that the bootkit is real and that the ad is not just a scam,” says ESET researcher Martin Smolár. “The small number of BlackLotus samples we were able to obtain, both from public sources and our telemetry, suggests that few cybercriminals have started using it yet. We are concerned that the situation will quickly change if this bootkit falls into the hands of criminal groups, based on the easy deployment of the bootkit and the ability of criminal groups to spread malware through their botnets.”
The ability to control the entire operating system boot process makes UEFI bootkits an extremely powerful weapon, ESET concluded. Threat actors successfully deploying it can secretly operate on the target endpoint with high privileges. Several UEFI bootkits have been observed in the wild so far.
“The best advice, of course, is to keep the system and its security product up-to-date to increase the chance of stopping a threat from the start before it can reach pre-OS persistence,” concluded Smolár.