BlackLotus
From Wikipedia, the free encyclopedia
| BlackLotus | |
|---|---|
| Malware details | |
| Technical name | trojan.blacklotus |
| Family | BlackLotus |
| Cyberattack event | |
| Target | Windows 10 and Windows 11 systems[1] |
| Technical details | |
| Abused exploits | Baton Drop (CVE-2022-21894) |
| Written in | Assembly |
BlackLotus is a UEFI bootkit malware discovered publicly in 2022 that bypasses Microsoft's secure boot on fully up-to-date Windows systems. BlackLotus enables persistent, stealthy control of infected machines at the firmware level, making detection and removal particularly difficult.[2]
Secure Boot bypass and persistence
BlackLotus operates as a bootkit, meaning it infects a system during the boot process, before the operating system loads. Unlike traditional bootkits that rely on outdated firmware or misconfigurations, BlackLotus exploits a previously patched but still trusted Windows bootloader vulnerability called Baton Drop with the CVE ID CVE-2022-21894.[3] Because the vulnerable bootloader remained cryptographically signed and trusted by Secure Boot, the malware was able to execute even on systems with Secure Boot enabled. The malware primarily targets Windows 10 and Windows 11 systems running on UEFI firmware.[4]
Secure Boot is a security feature designed to ensure that only trusted software loads during system startup. BlackLotus bypasses this protection by leveraging a Boot Configuration Data manipulation and an older, vulnerable Windows bootloader that was not revoked in Secure Boot's allowlist at the time of discovery.[5] Once loaded, BlackLotus installs a malicious UEFI component that executes before the Windows kernel, maintains persistence across operating system reinstalls, and can disable or tamper with security mechanisms. This allows BlackLotus to disable Windows security features including BitLocker, Hypervisor-Protected Code Integrity, and Windows Defender components.[6]
BlackLotus achieves persistence by embedding itself in the EFI System Partition.[7] Because this partition is typically not scanned by antivirus software and is rarely modified by users, the malware can survive operating system reinstallation, disk-level malware removal tools, and some firmware updates. Kernel persistence allows BlackLotus to load kernel-mode drivers and acting as a platform for deploying additional payloads.[8]
Discovery
BlackLotus was first observed in the wild by security researchers in 2022 and publicly detailed in early 2023. Analysis revealed that the malware had been sold on underground forums for thousands of dollars and sold as an assembly-based bootkit prior to its public disclosure.[9] Security researchers noted that although the exploited bootloader vulnerability had been patched, Microsoft had not revoked the vulnerable bootloader's signature, allowing it to remain trusted by Secure Boot.[10]
References
- ↑ Sharma, Shweta (2023-03-01). "BlackLotus bootkit can bypass Windows 11 Secure Boot: ESET". CSO Online. International Data Corporation. Retrieved 2026-01-17.
- ↑ Gatlan, Sergiu. "NSA shares tips on blocking BlackLotus UEFI malware attacks". Bleeping Computer. Retrieved 2026-01-17.
- ↑ "NSA Releases Guide to Mitigate BlackLotus Threat". National Security Agency. 2023-06-22. Archived from the original on 2026-01-09. Retrieved 2026-01-17.
- ↑ Olyniychuk, Daryna (2023-03-14). "BlackLotus UEFI Bootkit Detection: Exploits CVE-2022-21894 to Bypass UEFI Secure Boot and Disables OS Security Mechanisms". SOC Prime. Retrieved 2026-01-17.
- ↑ "BlackLotus Malware Bypasses UEFI Secure Boot". FortiGuard. Fortinet. 2023-06-25. Retrieved 2026-01-17.
- ↑ "ESET Research analyzes BlackLotus: A UEFI bootkit that can bypass UEFI Secure Boot on fully patched systems". ESET. 2023-03-01. Retrieved 2026-01-17.
- ↑ "Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign". Microsoft. 2023-04-11. Retrieved 2026-01-17.
- ↑ Goodin, Dan (2023-03-06). "Stealthy UEFI malware bypassing Secure Boot enabled by unpatchable Windows flaw". Ars Technica. Retrieved 2026-01-17.
- ↑ Lakshmanan, Ravie (2023-03-01). "BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11". The Hacker News. Retrieved 2026-01-17.
- ↑ Cluley, Graham (2023-06-23). "BlackLotus bootkit patch may bring "false sense of security", warns NSA". Tripwire. Retrieved 2026-01-17.