A new and rare type of malware is purportedly available on the black market and contains features normally reserved for state hacking tools that make it almost impossible to detect by any antivirus software.
The malware, known as BlackLotus, is allegedly a Unified Extensible Firmware Interface (UEFI) bootkit. UEFI is a computing standard that acts as an interface between the operating system and the firmware; when the computer is turned on, UEFI initiates the bootloader, which in turn boots the kernel and the operating system.
By loading in the initial boot state, the malware embeds itself in the system software, allowing it to bypass all antivirus software security checks and thus remain undetected.
On an online malware forum where BlackLotus licenses are apparently selling for $5,000 each, the vendor claims that even Secure Boot won’t thwart the tool because a vulnerable bootloader is used. In addition, they noticed that adding this bootloader to UEFI reference list (opens in a new tab) would not solve the problem as there are currently hundreds of others with the same vulnerability that can be used instead.
Another feature that makes BlackLotus so potentially dangerous is the apparent ring 0/kernel protection. Computers operate using guard rings that divide the system into different levels depending on how fundamental they are to the operation of the machine to prevent potential hazards and faults from escaping to other parts.
Gaining access through these rings becomes increasingly difficult. The core is ring 0, which contains the nucleus: this is what connects your software to the hardware. This ring represents the highest level of protection in terms of access, so if BlackLotus does indeed have ring 0 protection, it would be extremely difficult to get rid of it.
The vendor also claimed that BlackLotus has the ability to disable Windows Defender and comes with an anti-debug feature to prevent malware from being detected during the scan.
It is no longer in the hands of the state
Experts warn that malware on the scale of BlackLotus is no longer the exclusive domain of governments and states. Sergei Lozhkin, Principal Security Researcher at Kaspersky he stated (opens in a new tab)“Previously, these threats and technologies were only available to people who developed advanced persistent threats, mainly governments. Now these kinds of tools are in the hands of criminals in all forums.”
Last year another UEFI bootkit known as ESPecter was discovered and apparently designed at least 10 years ago for use in BIOSes, precursors of UEFI. Their availability outside of state groups still remains very rare, at least for now.
Another security expert – Eclypsium’s chief cyber strategist Scott Scheferman – tried to assuage concerns by saying that they could not yet be sure of BlackLotus’ alleged claims, maintaining that while it may represent a step forward in terms of ease of access to such powerful tools, it may still be in the early stages of production and not perform as effectively as claimed.
Regardless, progress in the cybercriminal world is very fast, and if you can profit from the production and use of such powerful malware, there will be no shortage of demand for its development and improvement. Once the cat is out of the bag, it is very difficult to put it back in.