BlackLotus malware can bypass your Windows Defender

It could potentially threaten your PC.

2 min. read

Published onMarch 2, 2023

published onMarch 2, 2023

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Key notes

If there’s a public enemy number-one for Windows 11 users since October 2022, that would have been BlackLotus. At that time, the UEFI bootkit malware was rumored to be the only thing that could pass any defense in the cyber landscape.

For just $5,000, hackers on black forums could have an access to this tool and bypass Secure Boot on Windows devices.

Now, it seems like what has been feared for months is true, at least according toESET’s recent studydone by analyst Martin Smolár.

The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn’t gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature – UEFI Secure Boot – is now a reality.

When you boot up your devices, the system and its security load first before anything else to disarm any malicious attempt at accessing the laptop. BlackLotus, however, targets UEFI so that it loads before anything else.

Matter of fact, it’s able to run on the latest Windows 11 system with the Secure Boot feature enabled.

BlackLotus exposes Windows 11 through its CVE-2022-21894 vulnerability. While it was patched in Microsoft’s January 2022 update, the malware takes advantage of this by signing binaries that have not been added to the UEFI revocation list.

Once installed, the bootkit’s main goal is to deploy a kernel driver (which, among other things, protects the bootkit from removal), and an HTTP downloader responsible for communication with the C&C and capable of loading additional user-mode or kernel-mode payloads.

Smolár also writes that some of the installers do not proceed if the host uses locales from Romanian/Russian (Moldova), Russia, Ukraine, Belarus, Armenia, and Kazakhstan.

Details of this first emerged when Kaspersky’s Sergey Lozhkin saw it being sold on black markets with the aforementioned price tag.

What do you think about this latest development? Let us know in the comments!

Rafly Gilang

Rafly is a journalist with growing experience, ranging from technology, business, social, and culture. A holder of the Romanian government scholarship, his writing has been published in several local and national publications.

User forum

0 messages

Sort by:LatestOldestMost Votes

Comment*

Name*

Email*

Commenting as.Not you?

Save information for future comments

Comment

Rafly Gilang

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

BlackLotus malware can bypass your Windows Defender#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

BlackLotus malware can bypass your Windows Defender