BlackLotus Malware Bypasses UEFI Secure Boot on Windows 11 PCs

Security – 4

The security researchers at ESET issued a security advisory about the BlackLotus vulnerability this week. The research warned that the BlackLotus flaw can now bypass Secure Boot even on fully updated Windows 11 PCs.

Secure Boot is a security feature that prevents unauthorized software (malware) from running on Windows machines. Almost all modern hardware with UEFI firmware supports this feature, which ensures that Windows PCs will only boot with trusted programs from the Original Equipment Manufacturer (OEM).

Kaspersky first discovered the BlackLotus bootkit back in October 2022. It exploits a year-old CVE-2022-21894 vulnerability to bypass the secure boot process on Windows systems. Microsoft patched the security flaw in January last year. Moreover, a proof-of-concept for the vulnerability has been publicly available since August 2022.

According to ESET malware analyst Martin Smolár, the flaw can still be exploited because the signed binaries have not been added to the UEFI revocation list. The attackers leverage the CVE-2022-21894 vulnerability to deploy the bootkit’s files to the EFI system partition (ESP). It allows the hackers to disable various security tools on the victim’s machines. These include Windows Defender, Hypervisor-protected Code Integrity (HVCI), and BitLocker encryption.

BlackLotus Malware Bypasses UEFI Secure Boot on Windows 11 PCs
BlackLotus execution overview

Additionally, BlackLotus enables malicious actors to deliver a kernel driver and an HTTP downloader. The kernel driver prevents users from removing the bootkit files from ESP. Moreover, the HTTP downloader is designed to download and execute payloads.

What are the mitigations and remediation strategies to block the BlackLotus malware?

ESET recommends that organizations should keep their Windows PCs and security solutions updated to block the attack vector. However, customers can mitigate the attacks by reinstalling the operating system on infected Windows systems and removing the attackers’ (Machine Owner Key) MOK key with the mokutil utility. We invite you to check out ESET’s blog post for more details.