Supposedly, a rare new type of malware is available on the black market, containing features typically reserved for state-run hacking tools that make detection virtually impossible for any antivirus software.
Known as BlackLotus, the malware is claimed to be a Unified Extensible Firmware Interface (UEFI) boot kit. UEFI is the computer standard that serves as the interface between the operating system and the firmware; When you turn on your computer, UEFI starts a bootloader, which in turn starts the kernel and operating system.
Loading in the initial boot state, the malware embeds itself in a system's firmware, allowing it to bypass all antivirus software security controls and thus remain undetected.
heavy features
On an online malware forum where BlackLotus licenses are apparently being sold for €5,000 each, the vendor claims that even Safe Boot won't thwart the tool, since a vulnerable bootloader is used. Additionally, they noted that adding this bootloader to the UEFI revocation list (opens in a new tab) would not fix the issue, as there are currently hundreds of others with the same vulnerability that can be used instead.
Another attribute that makes BlackLotus so potentially dangerous is its apparent Ring 0/kernel protection. Computers work through rings of protection that compartmentalize the system at different levels based on their critical importance to the operation of the machine, in order to prevent potential threats and bugs from leaking elsewhere.
Access through these rings becomes increasingly difficult. At its heart is Ring 0, which contains the kernel: it's what connects your software to your hardware. This ring represents the highest level of protection in terms of access, so if BlackLotus has ring 0 protection, it would be extremely difficult to get rid of.
The vendor also claimed that BlackLotus has the ability to disable Windows Defender and comes with anti-debugging to prevent detection from malware scans.
It is no longer in the hands of the state
Experts warn that BlackLotus-scale malware is no longer the exclusive jurisdiction of governments and states. Sergey Lozhkin, Principal Security Researcher at Kaspersky, said (opens in new tab): "Previously, these threats and technologies were only accessible to the guys who develop advanced persistent threats, mainly governments. Today, these kinds of tools are in the hands of criminals on the forums".
Last year, another UEFI bootkit called ESPecter was discovered that was apparently designed at least 10 years ago for use in system BIOSes, the precursor to UEFI. Their availability outside of state groups remains very rare, at least for now.
Another security expert, Eclypsium CTO Scott Scheferman, tried to temper concerns by saying they still couldn't be sure of BlackLotus' alleged claims, saying that while it may represent progress in terms of ease of access to such powerful tools , may still be in its early stages of production and may not function as efficiently as claimed.
Either way, the march of progress is moving very quickly in the world of cybercriminals, and if profits can be made from the production and use of such powerful malware, there will be no shortage of demand for its development and improvement. Once the cat is out of the bag, it is very difficult to put it back in.