Cybercriminals are advertising a devastating new malicious tool on underground cybercrime forums. Dubbed BlackLotus, the malware is a novel UEFI bootkit for Windows that brings APT capabilities to threat actors, allowing them to wreak havoc on compromised systems while avoiding detection.
Perpetrators can buy BlackLotus outright for a one-time $5,000 fee, while upgrading to a new version only costs $200. The minute malware is written in Assembly and C, takes up just 80 kb on disk, and works globally except in the Commonwealth of Independent States (CIS).
The alleged seller claims that the bootkit encompasses Ring0/Kernel protection against removal and integrated Secure Boot bypass, eliminating the need for regular agent updates. Furthermore, it reinforces the seller’s menacing claim that antivirus software will be unable to detect and remove the bootkit once it’s been installed.
BlackLotus packs even more detection evasion features, including anti-virtualization (anti-VM), code obfuscation, and anti-debugging. It can also bypass User Account Control (UAC) and disable BitLocker, HVCI, and Windows Defender, according to cybersecurity expert Scott Scheferman.
To make matters worse, BlackLotus could allow threat actors to load unsigned drivers onto compromised machines, paving the way to Bring Your Own Vulnerable Driver (BYOVD) attacks.
UEFI bootkits like BlackLotus are an aggressive form of rootkit that inject themselves into a system's master boot record or volume boot record to achieve persistence. Since bootkits are specially crafted to load before the operating system, they can’t be dodged by booting in recovery or safe mode.
Malware like BlackLotus has been typically associated with seasoned threat actors like ransomware gangs, state-backed hackers, and advanced persistence threat (APT) groups. However, the tool’s recently widened availability outside these groups could spell bad news for everyone.