BlackLotus UEFI Bootkit Detection: Exploits CVE-2022-21894 to Bypass UEFI Secure Boot and Disables OS Security Mechanisms

An increasing number of Unified Extensible Firmware Interface (UEFI) security flaws uncovered in the last couple of years give the green light to offensive forces to exploit them. In 2022, the infamous in-the-wild MoonBounce malware caused a massive stir in the cyber threat arena distributed via the UEFI bootkit. Another malware of such kind, called BlackLotus, currently ravages in the wild, which can be considered the first-ever highly evasive UEFI bootkit capable of bypassing significant security mechanisms.

Detecting BlackLotus UEFI Bootkit

Being the very first malware leveraged in the wild to bypass Microsoft´s Security Boot mechanism, BlackLotus bootkit poses a significant menace to cyber defenders globally. To detect the malicious activity associated with BlackLotus cyber attacks, SOC Prime´s Detection as Code Platform offers a set of relevant Sigma rules: 

Possible Firmware File Was Created In System Directories By Non-System Process (via file_event)

The first rule by the SOC Prime Team identifies the creation of firmware file in the System32 directory made by non-system binary that might be further abused for malicious purposes. The detection is compatible with 20+ SIEM, EDR, and XDR platforms and is aligned with the MITRE ATT&CK® framework v12, addressing the Defense Evasion tactic with System Firmware (T0857) as the corresponding technique.

Possible Disabling of Core Isolation Memory Integrity (via registry_set)

This second rule, developed by our seasoned Threat Bounty developer Nattatorn Chuensangarun, detects disabling Core Isolation Memory Integrity, also known as Hypervisor-protected Code Integrity (HVCI), via a registry setting. The detection is compatible with 15+ SIEM, EDR, and XDR platforms and is aligned with the MITRE ATT&CK® framework v12, addressing the Defense Evasion tactic with Impair Defenses (T1562) and Modify Registry (T1112) as the corresponding techniques. 

Aspiring threat researchers looking for ways to contribute to collective cyber defense are welcome to join the ranks of the Threat Bounty Program crowdsourced initiative. Write detection code backed by Sigma and ATT&CK, share your expertise with industry peers, and get bounty for the quality and speed of your work while constantly improving your Detection Engineering skills. 

To date, SOC Prime Platform aggregates a batch of detection rules to identify the malicious activity associated with malware abusing UEFI functionality. Hit the Explore Detections button to check the detection algorithms accompanied by the corresponding ATT&CK references, threat intelligence links, and other relevant metadata.

Explore Detections

BlackLotus UEFI Bootkit Exploiting CVE-2022-21894: Attack Description

Unified Extensible Firmware Interface (UEFI) is a state-of-the-art technology and a specification for a software program, which is widely used to facilitate the machine’s boot sequence and connect a computer’s firmware to its operating system (OS). In recent years, UEFI vulnerabilities have become a lure to attackers leveraging them in a broad range of offensive operations. The most popular malware samples delivered using the UEFI bootkit are LoJax, the first in-the-wild UEFI firmware implant, MosaicRegressor, and MoonBounce, the latter being a landmark in a UEFI rootkit evolution due to its hard-to-detect sophisticated capabilities.

A novel UEFI bootkit known as BlackLotus has been actively distributed on hacking forums since mid-autumn 2022. BlackLotus is the first publicly known UEFI bootkit, which is capable of bypassing a significant security functionality, UEFI Secure Boot, and can run on the most up-to-date, fully patched Windows 11 systems.

According to the latest report by the ESET security community, BlackLotus can pose a significant menace to compromised users due to its ability to gain full control over the OS boot process, which can further lead to disabling critical OS security protection and spreading multiple payloads at the early OS startup stages. 

First, threat actors execute an installer to disable OS security protection and reboot the compromised machine. Further on, they weaponize a legacy Secure Boot vulnerability tracked as CVE-2022-21894, which is still exploitable regardless of its patching by Microsoft at the turn of 2022, and then enroll the adversary Machine Owner Key to gain malware persistence. Upon further reboots, the installed BlackLotus deploys a kernel driver to retain the malware persistence and a final user-mode component, an HTTP downloader, the latter being in charge of C2 communication to drop additional payloads on the compromised system.

The novel malware continues to gain momentum in the cyber threat arena, being actively spread on underground forums. BlackLotus is advertised on the dark web as a highly evasive UEFI bootkit that involves a set of anti-virtual-machine, anti-debug, and obfuscation techniques, which requires careful attention from cyber defenders to mitigate its impact. As the primary mitigation measure to help organizations remediate the threat, cyber defenders recommend timely upgrading the system and security programs to the latest versions. 

Stay ahead of adversaries before they strike by leveraging https://socprime.com/. Search for current and emerging threats, instantly reach relevant Sigma rules mapped to ATT&CK and enriched with comprehensive cyber threat context to continuously strengthen your organization’s cybersecurity posture.