The Slovak cybersecurity company ESET has discovered the first publicly known malware capable of bypassing Secure Boot defenses in Unified Extensible Firmware Interface (UEFI) bootkits, called BlackLotus. The bootkit is capable of running on fully updated Windows 11 systems, disabling OS-level security mechanisms, and deploying arbitrary payloads during startup with high privileges.
According to ESET, BlackLotus is programmed in Assembly and C, is 80 kilobytes in size, and is available for purchase at $5,000 (with a subsequent version costing $200). The malware also includes geofencing capabilities, avoiding infection in several countries.
BlackLotus exploits CVE-2022-21894, a security flaw that allows arbitrary code execution during early boot phases, enabling malicious actors to carry out harmful actions on systems with UEFI Secure Boot enabled without requiring physical access. The vulnerability was addressed in Microsoft’s January 2022 Patch Tuesday update, but the affected, validly signed binaries have yet to be added to the UEFI revocation list, making its exploitation still possible.
The bootkit turns off security mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender, while dropping a kernel driver and an HTTP downloader to communicate with a command-and-control (C2) server to retrieve additional user-mode or kernel-mode malware.
The exact modus operandi used to deploy the bootkit is still unknown, but it starts with an installer component that writes files to the EFI system partition, disables HVCI and BitLocker, and reboots the host. Following the restart, CVE-2022-21894 is weaponized to achieve persistence and install the bootkit, which is then automatically executed on every system start to deploy the kernel driver.
ESET researcher Martin Smolár said that “many critical vulnerabilities affecting security of UEFI systems have been discovered in the last few years. Unfortunately, due the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left many systems vulnerable even a long time after the vulnerabilities have been fixed.” Smolár further noted that it was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled.
The security community is encouraged to remain vigilant and take appropriate measures to secure their systems against such attacks.