• Yesterday we covered a very interesting and relevant topic, which we will continue today.
The fact is that quite recently a very functional BlackLotus UEFI bootkit was sold on hacker forums. They sold it for some 5,000 bucks, but soon its source code leaked and was published on GitHub.
• Please note that the information in this post is provided solely as part of information and safety issues! I strongly recommend not to break laws and respect the rights of other people.
• Let’s move on to the description and necessary links: the bootkit has a built-in Secure Boot bypass, built-in deletion protection at the Ring0 / Kernel level, and also runs in recovery mode and in safe mode. In addition, BlackLotus is able to disable security mechanisms on target machines, including Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, as well as bypass User Account Control (UAC). BlackLotus is 80 kilobytes in size, written in assembly language and C, and is able to determine the geofence of the victim in order to avoid infecting machines in the CIS countries.
• You can study the source code and find a more detailed description on github: https://github.com/ldpreload/BlackLotus
• Since the bootkit’s source code is now available to everyone, it is possible that hackers will be able to use it to create more powerful malware that can bypass existing and future measures to counter such threats.
• Detailed working principle:
– BlackLotus UEFI bootkit: Myth confirmed;
– The Untold Story of the BlackLotus UEFI Bootkit;
– BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11.
