Sinister BlackLotus UEFI Bootkit For Windows Goes Up For Sale On Hacking Forum

The conventional wisdom when you think you've picked up some nasty Windows malware is to format the disk and start from scratch, and that's enough to defeat most hacks. However, it won't help with a new piece of malicious code floating around hacking forums. Security researchers are sounding the alarm over a new UEFI bootkit called BlackLotus. The tool is spendy, but it offers threat actors the ability to take control of Windows machines, evade detection, and even persist across operating system installs.

As a bootkit, BlackLotus loads on an infected system even before Windows, and that makes it hard for antimalware tools running at the operating system level to detect. It relies on a vulnerability that is still present in hundreds of actively used bootloaders, allowing it to bypass Secure Boot. It can also run in safe and recovery modes.

BlackLotus is tiny, taking up just 80KB of disk space, but it has big functionality. It acts as an HTTP loader, giving the attacker remote access to the system via a web interface. It comes with anti-virtual machine, anti-debug, and code obfuscation features that make it harder to detect and analyze. When deployed on a system, BlackLotus can disable vital Windows security features like Hypervisor-Protected Code Integrity (HVCI), Windows Defender, and User Account Control.

According to Kaspersky lead security researcher Sergey Lozhkin, this is a troubling escalation of online threats. Traditionally, these advanced UEFI bootkits were only available to government-backed threat actors. BlackLotus, however, is available to anyone with $5,000 for a license. Future updates to the malware will only cost $200 to upgrade. Scott Scheferman of security firm Eclypsium calls BlackLotus a "leap forward" in hacking tools. He does note that BlackLotus' capabilities are unconfirmed. Until someone in the security community can get a sample of the malware and examine it in a laboratory setting, we'll have to take the word of those who frequent hacker forums to buy and sell malware.

If there's a silver lining, it's that you probably won't just run into this malware browsing the web. An attacker would need access to your machine or local network in order to load the malware.