Last month, WeLiveSecurity, the security research wing of ESET Anti-Malware Solutions, released its report on the BlackLotus security vulnerability.
If you don’t know, Black Lotus is a UEFI boot kit, and what makes this malware particularly dangerous is its ability to bypass the Secure Boot system even on Windows 11-updated systems. In addition, Black Lotus also modifies the registry to disable hypervisor-protected code integrity (HVCI), a virtualization-based security (VBS) feature. as well as BitLocker encryption. It also disables Windows Defender by combining the Early Launch Anti-Malware (ELAM) driver and the Windows Defender File System Filter driver. The ultimate goal is to deploy an HTTP downloader that delivers a malicious payload.
Although the security vulnerability dubbed “Baton Drop” (CVE-2022-21894) was patched over a year ago, it is still being exploited because signed binaries are still in the UEFI revocation list. I am not included. In recently published guidance, Microsoft summarizes the malicious activities that Black Lotus has carried out since the attack:
The malware uses CVE-2022-21894 (also known as Baton Drop) to bypass Windows Secure Boot and then deploy malicious files to the EFI System Partition (ESP) of the UEFI firmware. Started by This allows the bootkit to:
- Gain persistence by registering the threat actor’s Machine Owner Key (MOK).
- Disable HVCI to allow deployment of the malicious kernel driver.
- Leverage the kernel driver to deploy a user-mode HTTP downloader for command and control (C2).
- Turn off BitLocker to avoid tampering protection strategies on Windows.
- Turn off Microsoft Defender Antivirus to avoid further detection.
In its guidance, the tech giant covers, in detail, techniques for determining whether an organization’s devices are infected, as well as recovery and prevention strategies. You can read it at Microsoft. Official website.