Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    Microsoft posts guide for Windows Secure Boot, Defender, VBS, BitLocker-bypassing BlackLotus

    Karlston

    By Karlston,
    Published Date:

    • 485 views
    • 2 minutes
     Share
    • 485 views
    • 2 minutes

    Last month, WeLiveSecurity, the security research wing of ESET anti-malware solutions, released its report on the BlackLotus security vulnerability.

     

    If you aren't aware, BlackLotus is a UEFI bootkit, and what makes this malware particularly dangerous is its ability to bypass Secure Boot systems even on updated Windows 11 systems. Besides that, BlackLotus also makes modifications to the registry to disable Hypervisor-protected Code Integrity (HVCI), which is a Virtualization-based Security (VBS) feature; as well as BitLocker encryption. It also disables Windows Defender by manipulating the Early Launch Anti-Malware (ELAM) driver and Windows Defender file system filter driver. The ultimate purpose is to deploy an HTTP downloader which delivers the malicious payloads.

     

    Although the security vulnerability dubbed "Baton Drop" (CVE-2022-21894) was patched a year ago, it is still exploited as signed binaries have not yet been added to the UEFI revocation list. In a recently published guidance, Microsoft has summarized the malicious activities BlackLotus does after it has managed to infest:

     

    The malware uses CVE-2022-21894 (also known as Baton Drop) to bypass Windows Secure Boot and subsequently deploy malicious files to the EFI System Partition (ESP) that are launched by the UEFI firmware. This allows the bootkit to:

     

    1. Achieve persistence by enrolling the threat actor’s Machine Owner Key (MOK)
    2. Turn off HVCI to allow deployment of a malicious kernel driver
    3. Leverage the kernel driver to deploy the user-mode HTTP downloader for command and control (C2)
    4. Turn off Bitlocker to avoid tamper protection strategies on Windows
    5. Turn off Microsoft Defender Antivirus to avoid further detection

     

    In its guidance, the tech giant has covered, in detail, the techniques to determine if the devices in an organization are infected, as well as recovery and prevention strategies. You can read it on Microsoft's official website.

     

     

    Microsoft posts guide for Windows Secure Boot, Defender, VBS, BitLocker-bypassing BlackLotus

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...