BlackLotus Malware

A malware threat that cybersecurity researchers are describing as 'nearly undetectable' has been confirmed to be offered for sale on hacker forums. Tracked as BlackLotus, the malware can infect the most fundamental levels of a computer and become extremely difficult to remove. In fact, its capabilities put it on par with the threatening tools observed as part of the arsenal of state-sponsored hacking groups and APTs (Advanced Persistent Threats). Apparently, interested cybercriminals could obtain a license from the creators of the threat for $5000.

Infection at Lowest Boot State

BlackLotus is described as a UEFI (Unified Extensible Firmware Interface) bootkit. UEFI is a widely used specification that describes software dedicated to facilitating communication between the OS (operating system) and the firmware. In turn, firmware is the software that provides low-level control of the hardware components of the system. UEFI replaced the legacy BIOS (Basic Input/Output System) boot firmware. In short, UEFI is one of the first things that startup when a computer is turned on and precedes the booting of the kernel and OS. According to the seller, the threatening features of the BlackLotus Malware include Secure Boot bypass, RingO/Kernel protection against being removed and the ability to start in Safe Mode.

Even More Threatening Features

However, BlackLotus, apparently, also is equipped with anti-VM, anti-debug, and code obfuscation features to prevent any potential analysis attempts. The developer of the threat states that BlackLotus is entirely undetectable by anti-malware security solutions because it is running hidden within a legitimate process under the breached device's SYSTEM account. Attackers also could utilize the threat to disable several security protections that come built-in with Windows, such as HVCI (Hypervisor-Protected Code Integrity), UAC (User Account Control), and even Microsoft Defender (previously known as Windows Defender).

Dealing with BlackLotus by adding it to the UEFI revocation ability also will fail to provide any meaningful results, as the exploited vulnerability can be found in hundreds of bootloaders that are currently still in use.