Earlier this week it was brought to my attention, a certain #UEFI #bootkit offering that is for now sale on underground criminal forums. It is called Black Lotus. I've reviewed its features and capabilities and right off the bat, these are the salient points that every blue team and red team alike should be full aware of. This thing is only $5000 per license and $200 more to roll new versions of as needed after that. Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we've made alongside Adv-Int (e.g. Trickbot's #Trickboot module), this represents a bit of a 'leap' forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction. The features that stand out to me the most, I've captured in bullet form. Let me know if you have any questions on any of them: •Written in assembly and C, only 80kb in size •Works globally other than in CIS states, filterable by Geo, etc. •Anti-VM and Anti-Debug with Code Obfuscation •Bypasses UAC, Secure Boot, and Can Load Unsigned Drivers •Disables HVCI, BitLocker, Windows Defender •Persists on the UEFI with Ring 0 agent protection •Fully featured Install Guide with SOPs and FAQ’s •Stable and scales to a high number of bots, full backend API (PHP/SQL) •Fully featured tasking, file transfer, robust security, all needed functionality possible to persistent and operate indefinitely within an environment undetected. (perhaps for years akin to current UEFI implants in the wild that are discovered 2-5 years after the begin) •Vendor independent, uses a signed bootloader if Secure Boot enabled, wild distribution potential across IT and OT environments.
Thank you Pierluigi Paganini for getting the word out via your platform: https://securityaffairs.co/wordpress/137252/malware/black-lotus-uefi-rootkit.html
Pretty nasty. Looks like local admin is needed to mount the infection? Maybe remote/ driveby infection?... Looks like nations state level tooling based on the features you show. The industry has been seeing a lot of very advanced cyber weapons roll out publicly since the war.
when it comes to #UEFI security it would be useful to rely on one of the very few companies with the adequate know-how, able to give the right advice and maximum protection, currently possible: #Eclypsium https://eclypsium.com/wp-content/uploads/2020/10/Device-Integrity-and-the-Zero-Trust-Framework.pdf
Good job, thank you for posting.
Thanks for sharing, super interesting.
Good Grief! Thanks for this summary Scott!
Office of the CTO - Cyber Strategy, Speaking, Threat Landscape, Industry Thought Leadership
1yIt should be noted, too, that until we or someone obtains a sample of this malware and runs it on a close-to-production box in a lab, there is always the chance it isn't ready for show time yet, or certain aspects of its features aren't working right, or even the chance the entire thing is a scam. Of note, is that should this NOT be a scam, it may be indicative of a new boot loader vulnerability present across a wide distribution of device makers/types. If you missed this year's DefCon30 talk by our researchers, you should absolutely at a minimum read this blog about the research, discovery, and demo? https://eclypsium.com/2022/08/11/vulnerable-bootloaders-2022/