Beware the BlackLotus, cyber analyst warns Windows 11 users


A malicious hacking kit being sold on dark web forums for $5,000 has become the first of its kind to bypass the UEFI Secure Boot cybersecurity program on fully updated Windows 11 systems, says analyst ESET.

Known as BlackLotus, the bootkit – defined as malicious code that allows a threat actor to take remote control of a computer without the legitimate user’s knowledge – has been on sale at underground web forums at least since October last year.

“UEFI Bootkits are very powerful threats, having full control over the OS [operating system] boot process,” said ESET, adding that the bootkit had the capacity to disable security mechanisms and deliver payloads to unsuspecting targets.

“This allows them to operate very stealthily and with high privileges,” it said. “So far, only a few have been discovered in the wild and publicly described.”

ESET said it first suspected BlackLotus activities after conducting telemetry, or a digital sweep, late last year that red-flagged an HTTP downloader, which turned out to be a component of the malicious program.

Malware that’s even worse than usual

“After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers,” said ESET. “This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware.”

Things that make BlackLotus stand out from a bad crowd in ESET’s estimation include its capacity to run on “the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled” and the fact that it can disable “OS security mechanisms such as BitLocker, HVCI, and Windows Defender.”

And while the bug was ostensibly fixed by Microsoft back in January last year, BlackLotus has a workaround thanks to shortcomings in a digital blacklist that mean systems remain vulnerable to the malicious software.

“Its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list,” said ESET. “BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.”

For an in-depth breakdown of the case as tracked by ESET, click here.