A dangerous bootkit has been spotted on the dark web that is capable of bypassing cybersecurity solutions and installing all kinds of malware on a vulnerable endpoint.
A new report from cybersecurity experts ESET claims the bootkit is, most likely, BlackLotus, a notorious piece of malware that sells on the dark web for around $5,000.
Not only can BlackLotus bypass antivirus programs, but it can also run on fully updated Windows 11 devices with UEFI Secure Boot enabled.
Sparing Russia and its neighbors
To make the bootkit work, its makers exploited CVE-2022-21894, a known vulnerability that Microsoft patched more than a year ago. However, its exploitation is still possible as the affected, validly signed binaries have not yet been added to the UEFI revocation list, ESET explained (opens in new tab). This means that BlackLotus can bring its own copies of legitimate, vulnerable binaries and then exploit the flaw.
After disabling your antivirus (which even includes Windows Defender), the bootkit can deploy a downloader that can then install other malicious payloads. The researchers also noticed that the installer has devices located in Armenia, Belarus, Kazakhstan, Moldova, Russia and Ukraine.
BlackLotus is making the rounds on the dark web and is selling for around $5,000. However, many researchers believed that the ads were fake and that the malware did not actually exist.
“We can now present evidence that the bootkit is real and the ad is not just a scam,” says ESET researcher Martin Smolár. “The small number of BlackLotus samples we were able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it. We are concerned that things will change quickly if this bootkit falls into the hands of criminal software groups, based on the ease of deployment of the bootkit and the capabilities of criminal software groups to spread malware using their botnets.”
The ability to control the entire boot process of the operating system makes UEFI bootkits an extremely powerful weapon, ESET concluded. Threat actors who successfully deploy it can operate on the target endpoint stealthily and with elevated privileges. So far, a handful of UEFI bootkits have been spotted in the wild.
“The best advice, of course, is to keep your system and its security product up-to-date to increase the likelihood of stopping a threat in the first place, before it can achieve persistence before the operating system,” concluded Smolár.