A dangerous bootkit has been detected on the dark web, capable of bypassing cybersecurity solutions and installing all kinds of malware on a vulnerable terminal.
A new report from cybersecurity experts ESET claims that the bootkit is most likely BlackLotus, an infamous malware that sells on the dark web for around €5,000.
BlackLotus can not only bypass antivirus programs, but can also work on fully updated Windows 11 devices with UEFI Secure Boot enabled.
Spare Russia and its neighbors
In order for the bootkit to work, its creators exploited CVE-2022-21894, a known vulnerability that Microsoft patched over a year ago. However, its exploitation is still possible because the affected and validly signed binaries have not yet been added to the UEFI revocation list, ESET explained (opens in a new tab). This means that BlackLotus can contribute its own copies of legitimate and vulnerable binaries and then exploit the flaw.
After disabling your antivirus (which even includes Windows Defender), the bootkit can deploy a downloader that can then install other malicious payloads. The researchers also noted that the installer replaces devices located in Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.
BlackLotus has been doing the rounds on the dark web and sold for around €5,000. However, many researchers believed that the ads were fake and that the malware did not really exist.
"Now we can present evidence that the bootkit is real and that the ad is not just a scam," says ESET researcher Martin Smolár. “The low number of BlackLotus samples that we have been able to obtain, both from public sources and from our telemetry, leads us to believe that few malicious actors have quickly started using it if this bootkit falls into the hands of crimeware groups. , due to the ease of deployment of the bootkit and the ability of crimeware groups to spread malware through their botnets.
The ability to control the entire operating system boot process makes UEFI boot kits an extremely powerful weapon, ESET concluded. Hackers who successfully implement it can operate on the target endpoint stealthily and with elevated privileges. So far, a handful of UEFI bootkits have been observed in the wild.
"The best advice, of course, is to keep your system and security product up-to-date to increase the chances that a threat will be stopped before it can achieve pre-OS persistence," Smolar concluded.