A threat actor is selling on underground criminal forums a new UEFI bootkit that can disable or bypass security solutions and controls.
Dubbed “Black Lotus,” the bootkit comes with a slew of features, including anti-virtualization, anti-debugging, and code obfuscation, and can disable security applications and defense mechanisms on target machines, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The Windows bootkit can also bypass User Access Control (UAC) and secure boot mechanisms, load unsigned drivers, and can operate within an environment undetected for a long time, perhaps years, according to Eclypsium CTO Scott Scheferman.
“Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we've made (e.g. Trickbot's Trickboot module), this represents a bit of a 'leap' forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction,” Scheferman wrote in a blog post.
“It should be noted, too, that until we or someone obtains a sample of this malware and runs it on a close-to-production box in a lab, there is always the chance it isn't ready for show time yet, or certain aspects of its features aren't working right, or even the chance the entire thing is a scam. Of note, is that should this NOT be a scam, it may be indicative of a new boot loader vulnerability present across a wide distribution of device makers/types,” he added.
Written in Assembly and C, the bootkit is only 80 kilobytes on disk after installation and features geofencing, to avoid infecting countries in the CIS region. The tool is offered for sale at $5,000 per license, with additional $200 for new versions.