Security expert Scott Scheferman warns that a threat actor is marketing on dark web forums a vendor-independent UEFI rootkit that has the ability to bypass antivirus software and controls.
The Windows rootkit, known as “Black Lotus,” is a potent, persistent malware that is being sold for $5,000, with $200 payments for each subsequent version, and has similar features to those used by state-sponsored malicious attackers. Black Lotus is 80 kilobytes in size, is written in Assembly and C, and has geofencing to prevent infecting nations in the CIS region.
According to expert, the malware includes evasion tools like anti-virtualization, anti-debugging, and code obfuscation, and it has the ability to deactivate security software like BitLocker, Windows Defender, and Hypervisor-protected Code Integrity (HVCI) on target computers.
This malicious malware enables criminals to get around the secure boot function of computers, which is meant to stop the device from executing illegal software. Instead, by focusing on the UEFI, the BlackLotus malware loads before the operating system and any security software that might be able to halt it.
In other words, if a malicious person gains access to a network or machine, he or she can install this program and it will be completely unnoticed and persistent at the UEFI level.
Functions includes
•Written in assembly and C, only 80kb in size
•Works globally other than in CIS states, filterable by Geo, etc.
•Anti-VM and Anti-Debug with Code Obfuscation
•Bypasses UAC, Secure Boot, and Can Load Unsigned Drivers
•Disables HVCI, BitLocker, Windows Defender
•Persists on the UEFI with Ring 0 agent protection
•Fully featured Install Guide with SOPs and FAQ’s
•Stable and scales to a high number of bots, full backend API (PHP/SQL)
•Fully featured tasking, file transfer, robust security, all needed functionality possible to persistent and operate indefinitely within an environment undetected. (perhaps for years akin to current UEFI implants in the wild that are discovered 2-5 years after the begin)
•Vendor independent, uses a signed bootloader if Secure Boot enabled, wild distribution potential across IT and OT environments.
Attackers may use Black Lotus to do a broad range of tasks, including file transfers and task support, and it has the ability to pose a serious danger to both IT and OT systems.
This represents a little bit of a “leap” forward in terms of ease of use, scalability, accessibility, and most importantly, the potential for much more impact in the forms of persistence, evasion, and/or destruction, according to Scheferman. Previously, this tradecraft was only used by APTs like the Russian GRU and APT gangs from China.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.