| BlackLotus | |
|---|---|
| Malware details | |
| Technical name | trojan.blacklotus |
| Family | BlackLotus |
| Cyberattack event | |
| Target | Windows 10 and Windows 11 systems [1] |
| Technical details | |
| Abused exploits | Baton Drop (CVE-2022-21894) |
| Written in | Assembly |
BlackLotus is a UEFI bootkit malware discovered publicly in 2022 that bypasses Microsoft's secure boot on fully up-to-date Windows systems. BlackLotus enables persistent, stealthy control of infected machines at the firmware level, making detection and removal particularly difficult. [2]
BlackLotus operates as a bootkit, meaning it infects a system during the boot process, before the operating system loads. Unlike traditional bootkits that rely on outdated firmware or misconfigurations, BlackLotus exploits a previously patched but still trusted Windows bootloader vulnerability called Baton Drop with the CVE ID CVE-2022-21894. [3] Because the vulnerable bootloader remained cryptographically signed and trusted by Secure Boot, the malware was able to execute even on systems with Secure Boot enabled. The malware primarily targets Windows 10 and Windows 11 systems running on UEFI firmware. [4]
Secure Boot is a security feature designed to ensure that only trusted software loads during system startup. BlackLotus bypasses this protection by leveraging a Boot Configuration Data manipulation and an older, vulnerable Windows bootloader that was not revoked in Secure Boot's allowlist at the time of discovery. [5] Once loaded, BlackLotus installs a malicious UEFI component that executes before the Windows kernel, maintains persistence across operating system reinstalls, and can disable or tamper with security mechanisms. This allows BlackLotus to disable Windows security features including BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender components. [6]
BlackLotus achieves persistence by embedding itself in the EFI System Partition. [7] Because this partition is typically not scanned by antivirus software and is rarely modified by users, the malware can survive operating system reinstallation, disk-level malware removal tools, and some firmware updates. Kernel persistence allows BlackLotus to load kernel-mode drivers and acting as a platform for deploying additional payloads. [8]
BlackLotus was first observed in the wild by security researchers in 2022 and publicly detailed in early 2023. Analysis revealed that the malware had been sold on underground forums for thousands of dollars and sold as an assembly-based bootkit prior to its public disclosure. [9] Security researchers noted that although the exploited bootloader vulnerability had been patched, Microsoft had not revoked the vulnerable bootloader's signature, allowing it to remain trusted by Secure Boot. [10]