Researchers from ESET have identified a UEFI bootkit called “BlackLotus” that is capable of bypassing Secure Boot protections, making it a significant threat.
The toolkit is programmed in Assembly and C and features geofencing capabilities to avoid infecting computers in certain countries. It exploits a security flaw tracked as CVE-2022-21894 to set up persistence and execute arbitrary code during early boot phases.
BlackLotus is the first publicly known malware that can bypass Secure Boot defenses, which makes it a powerful and persistent threat. It can run even on fully up-to-date Windows 11 systems with UEFI Secure Boot enabled.
UEFI bootkits are deployed in the system firmware and allow full control over the operating system boot process, making it possible to disable OS-level security mechanisms and deploy arbitrary payloads during startup with high privileges.
The cyber threat landscape is constantly evolving, and malware like BlackLotus demonstrates the need for continued innovation and development in cybersecurity.
As such, it is crucial to keep software up to date and to implement additional security measures, such as network segmentation, access controls, and behavior monitoring, to minimize the risk of a successful attack.
