1 min read

New BlackLotus UEFI Bootkit for Windows Sold on Cybercrime Forums

Vlad CONSTANTINESCU

October 18, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
New BlackLotus UEFI Bootkit for Windows Sold on Cybercrime Forums

Cybercriminals are advertising a devastating new malicious tool on underground cybercrime forums. Dubbed BlackLotus, the malware is a novel UEFI bootkit for Windows that brings APT capabilities to threat actors, allowing them to wreak havoc on compromised systems while avoiding detection.

Perpetrators can buy BlackLotus outright for a one-time $5,000 fee, while upgrading to a new version only costs $200. The minute malware is written in Assembly and C, takes up just 80 kb on disk, and works globally except in the Commonwealth of Independent States (CIS).

The alleged seller claims that the bootkit encompasses Ring0/Kernel protection against removal and integrated Secure Boot bypass, eliminating the need for regular agent updates. Furthermore, it reinforces the seller’s menacing claim that antivirus software will be unable to detect and remove the bootkit once it’s been installed.

BlackLotus packs even more detection evasion features, including anti-virtualization (anti-VM), code obfuscation, and anti-debugging. It can also bypass User Account Control (UAC) and disable BitLocker, HVCI, and Windows Defender, according to cybersecurity expert Scott Scheferman.

To make matters worse, BlackLotus could allow threat actors to load unsigned drivers onto compromised machines, paving the way to Bring Your Own Vulnerable Driver (BYOVD) attacks.

UEFI bootkits like BlackLotus are an aggressive form of rootkit that inject themselves into a system's master boot record or volume boot record to achieve persistence. Since bootkits are specially crafted to load before the operating system, they can’t be dodged by booting in recovery or safe mode.

Malware like BlackLotus has been typically associated with seasoned threat actors like ransomware gangs, state-backed hackers, and advanced persistence threat (APT) groups. However, the tool’s recently widened availability outside these groups could spell bad news for everyone.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

QNAP Rolls Out Urgent Patch to Fix SQL Injection Flaw in NAS Devices QNAP Rolls Out Urgent Patch to Fix SQL Injection Flaw in NAS Devices
Filip TRUȚĂ

January 31, 2023

1 min read
Code-Signing Certificates Stolen in GitHub Breach Code-Signing Certificates Stolen in GitHub Breach
Vlad CONSTANTINESCU

January 31, 2023

1 min read
Latvia says Russian hackers tried to phish its Ministry of Defence Latvia says Russian hackers tried to phish its Ministry of Defence
Graham CLULEY

January 30, 2023

2 min read