A new and rare type of malware is purportedly available on the black market, containing features usually reserved for hacking tools used by states that make it next to impossible for any antivirus software to detect.
Known as BlackLotus, the malware is claimed to be a Unified Extensible Firmware Interface (UEFI) bootkit. UEFI is the computing standard that acts as the interface between the operating system and the firmware; when you turn on your computer, the UEFI initiates a boot loader, which in turn boots the kernel and the operating system.
By loading at the initial boot state, the malware embeds itself within a system’s firmware, allowing it to bypass all security checks from antivirus software and thus remain undetected.
On an online malware forum where BlackLotus licenses are apparently being sold for $5,000 each, the seller claims that even Safe Boot won’t thwart the tool, since a vulnerable boot loader is employed. They further remarked that adding this boot loader to the UEFI Revocation List (opens in new tab) would fail to resolve the issue, since there are currently hundreds of others with the same vulnerability that can be used instead.
Another attribute that makes BlackLotus so potentially dangerous is its apparent Ring 0/ kernel protection. Computers operate using protection rings that compartmentalize the system into different levels based on how fundamental they are to the operation of the machine, in order to prevent potential threats and faults from leaking into other parts.
Gaining access through these rings gets progressively harder. At the core is Ring 0, which contains the kernel: this is what connects your software to your hardware. This ring represents the highest level of protection in terms of access, so if BlackLotus does indeed have ring 0 protection, then it would be extremely difficult to get rid of.
The seller also claimed BlackLotus has the ability to disable Windows Defender and comes with anti-debug to prevent detection from malware scans.
No longer in state hands
Experts are warning that malware on the scale of BlackLotus is no longer the sole province of governments and states. Sergey Lozhkin, the lead security researcher at Kaspersky stated (opens in new tab), “These threats and technologies before were only accessible by guys who were developing advanced persistent threats, mostly governments. Now these kinds of tools are in the hands of criminals all over the forums.”
Last year, another UEFI bootkit known as ESPecter was discovered, and had apparently been designed at least 10 years ago for use on BIOS systems, the precursor to UEFI. Their availability outside of state-run groups still remains very rare, at least for now.
Another security expert – Eclypsium CTO Scott Scheferman – did try to temper concerns by saying that they could not yet be sure of BlackLotus’ purported claims, maintaining that while it may represent a leap forward in terms of ease of access to such powerful tools, it may still be in its nascent stages of production and not work as effectively as claimed.
Regardless, the march of progress moves very quickly in the cybercriminal world, and if profits can be made from the production and use of malicious software this powerful, then there will be no shortage of demand for its development and improvement. Once the cat is out of the bag, it’s very hard to put it back in again.