ESET researchers have shed some light on a UEFI bootkit called “Black Lotus,” which they say is the first publicly known UEFI bootkit that is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled.

First described in October 2022, Black Lotus comes with a slew of features, including anti-virtualization, anti-debugging, and code obfuscation, and can disable security applications and defense mechanisms on target machines, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The Windows bootkit can also bypass User Access Control (UAC) and secure boot mechanisms, load unsigned drivers, and can operate within an environment undetected for a long time, perhaps years.

The bootkit has been offered for sale on hacker forums for a price of $5,000 (and $200 per new subsequent version).

According to ESET, Black Lotus exploits a Windows Secure Boot security features bypass vulnerability (CVE-2022-21894) fixed in January 2022 to bypass UEFI Secure Boot and set up persistence for the bootkit.

“Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability,” the security firm explains.

Once installed, the malware deploys a kernel driver (which, among other things, protects the bootkit from removal), and an HTTP downloader responsible for communication with the C&C server and capable of loading additional user-mode or kernel-mode payloads.

Notably, the bootkit features geofencing capabilities to avoid infecting systems located in Romania, Moldova, Ukraine, Armenia, Kazakhstan, Russia, and Belarus.

The researchers said they were not able to identify the exact distribution channel used to deploy the bootkit to victims. They also believe that not many threat actors have started weaponizing the bootkit as of yet.

“But until the revocation of the vulnerable bootloaders that BlackLotus depends on happens, we are concerned that things will change rapidly should this bootkit gets into the hands of the well-known crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets,” ESET notes.