A new UEFI bootkit named BlackLotus has become a hot-selling item in underground hacking forums. The malware developer claims that the malicious tool can infiltrate boot-level access within its target system, bypassing the security programs present on the computer.
The software is believed to be linked to a state-sponsored threat group specializing in cyber espionage. As per reports, the Black lotus sells for $5,000 and is exclusively available for cybercriminals who target victims using Windows operating systems.
According to sources, the BlackLotus sellers claim that the bootkit features a ‘Secure Boot’ bypass, which eludes antivirus protection services by using built-in Ring0/Kernel and is also capable of running in Windows recovery or Windows safe mode. It can hinder any malware analysis attempts and runs under the system account within a legitimate process that doesn’t appear as an outside entity to the system.
BlackLotus Windows UEFI bootkit on a rise
Windows UEFI bootkit is quite popular among underground hacking forums. Using BlackLotus, threat actors can facilitate espionage activities to steal documents, deploy keylogger programs, monitor browser activities, and take screenshots. These tools can be used to backdoor Windows systems by modifying the Windows Boot Manager binary.
BlackLotus installs in under 80 kb on disk. It can disable core Windows security functions, such as the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender, and bypass User Account Control (UAC). Researchers claim that patching the vulnerability is not currently possible, even if it is added to the UEFI revocation list.
Sergey Lozhkin, the lead security researcher at Kaspersky, also shared a report on BlackLotus after it was advertised on hacking forums. Lozhkin told The Register, “These threats and technologies before were only accessible by guys who were developing advanced persistent threats, mostly governments,” Lozhkin claimed. “Now these kinds of tools are in the hands of criminals all over the forums.”