BlackLotus UEFI malware source code has leaked on GitHub

Alfonso Maruccia

Posts: 767   +259
WTF?! BlackLotus was first discovered in October 2022, and it has since been described as one of the most complex annd dangerous threats against the secure Windows boot process. The bootkit will likely become even more dangerous in the near future, as a modified version of its source code is now available for download to all.

Script kiddies and other less competent cyber-criminals can now have a peek at the heart of the beast: the source code of BlackLotus, the "invisible" UEFI bootkit capable of defeating the most advanced security features of a fully updated Windows installation, has been uploaded to GitHub by an unknown user going by the name "yukari."

The BlackLotus bootkit was initially discovered by security researchers on underground marketplaces, where the malware authors were selling a "license" to use their creation for $5,000. They also offered a "rebuild" of the malware code with custom features for $200, though the original source code of the malicious program was seemingly kept private.

On the BlackLotus GitHub page, Yukari describes the software as an "innovative" UEFI Bootkit designed to target Windows PCs. The malware provides a built-in Secure Boot bypass process, the ability to protect its code with OS kernel privileges (Ring 0), and an HTTP loader to get instructions and additional code from remote servers.

BlackLotus was initially designed to exploit the so-called "Baton Drop" security vulnerability (CVE-2022-21894), which Microsoft fixed in January 2022. After this first patch, Redmond release a new update for yet another Secure Boot bypass issue (CVE-2023-24932), which was designed to revoke malicious boot managers.

The corporation provided detailed instructions on how to detect a stealthy BlackLotus infection, plus additional guidance on how to manually install Boot Manager revocations to finally close every hole exploited by the bootkit known so far.

However, the source code version released on GitHub (v2) does not contain any code capable of exploiting the CVE-2022-21894 flaw, while payloads for UEFI loading, infection and "post-exploitation persistence" are the same as the original release. Traditional antivirus software cannot detect or remove BlackLotus, the leaker notes. Additionally, advanced security features such as UAC, HVCI, and BitLocker are rendered ineffective.

According to Alex Matrosov, co-founder and CEO of security company Binarly who broke the news about the BlackLotus source code availability, most of the "tricks" and techniques used in the bootkit have been known for years. The real threat now comes from the fact that every malware writer or cyber-criminal can study how the BlackLotus authors did their job, combing previously known techniques with new exploits and tricks. More advanced and dangerous bootkits could soon become the norm.

Permalink to story.