Defending Against Blacklotus: UAT's Cyber Security Program Sheds Light on UEFI Attacks
July 5, 2023 | by Aaron Jones
The Blacklotus malware is a UEFI bootkit that targets systems at one of their earliest points of availability. During the boot process. ESET malware researcher Martin Smolár noted that this begins with executing an installer that deploys the bootkit files to the EFI system partition, disables the HVCI and BitLocker protections, and reboots the host. Legitimate binaries vulnerable to CVE-2022-21894 (Windows Hypervisor Loader, Windows Boot Manager, PE binaries) and their custom Boot Configuration Data (BCD) are then exploited and persistence on machines with UEFI Secure Boot enabled is achieved after the initial reboot by exploiting CVE-2022-21894 and installing the attacker’s Machine Owner Key (MOK). A self-signed UEFI bootkit is launched after reboot and the malicious kernel driver and an HTTP downloader are deployed. This will allow the attacker to complete the installation of the attack.