Jump to content
  • BlackLotus bypasses Secure Boot, Microsoft Defender, VBS, BitLocker on updated Windows 11


    Karlston

    • 540 views
    • 2 minutes
     Share


    • 540 views
    • 2 minutes

    WeLiveSecurity, the security research wing of ESET anti-malware, released its report on the BlackLotus security vulnerability yesterday. While this security flaw is not exactly new, as it has been doing rounds on the internet since around the middle of last year, what makes this bootkit dangerous is its ability to bypass Secure Boot systems even on fully updated Windows 11 systems (which means previous Windows versions may be vulnerable as well).

     

    And it does not stop there of course, as BlackLotus also makes modifications to the registry to disable Hypervisor-protected Code Integrity (HVCI), which is a Virtualization-based Security (VBS) feature; as well as BitLocker encryption. It also disables Windows Defender by manipulating the Early Launch Anti-Malware (ELAM) driver and Windows Defender file system filter driver. The ultimate purpose is to deploy an HTTP downloader which delivers the malicious payloads.

     

    This bootkit exploit is a year old security boot vulnerability under CVE-2022-21894. Although this vulnerability was already patched last year in January, ESET notes that the exploitation of this is still possible as signed binaries have not yet been added to the UEFI revocation list.

     

    Here is summary of the BlackLotus bootkit according to ESET:

     

    • It’s capable of running on the latest, fully patched Windows 11 systems with UEFI Secure Boot enabled.

    • It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability.

    • Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability.

    • It’s capable of disabling OS security mechanisms such as BitLocker, HVCI, and Windows Defender.

    • Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads.

       

    You can find more technical details on ESET's official blog post here.

     

     

    BlackLotus bypasses Secure Boot, Microsoft Defender, VBS, BitLocker on updated Windows 11


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...