Threat Research

BlackLotus UEFI bootkit: Myth confirmed

Securonix

BlackLotus is a real UEFI bootkit that bypasses Secure Boot on up-to-date Windows 11 systems and establishes persistence via a MOK enrollment, delivering a kernel driver and HTTP downloader to fetch additional payloads. It exploits CVE-2022-21894, uses self-signed components, and can disable BitLocker, HVCI, and Windows Defender, signaling a sophisticated, weaponized bootkit being marketed on underground forums. #BlackLotus #CVE-2022-21894 #Windows11 #SecureBoot

Keypoints

  • Public analysis confirms BlackLotus is a real UEFI bootkit capable of running on systems with UEFI Secure Boot enabled.
  • It exploits CVE-2022-21894 to bypass Secure Boot and persist via MOK enrollment, bringing its own vulnerable binaries into the system.
  • The bootkit drops multiple files into ESP and system32, including self-signed components and legitimate Microsoft-signed binaries used in the chain.
  • It disables OS protections (HVCI, BitLocker, Windows Defender) to improve stealth and reliability of its kernel and user-mode payloads.
  • Secondary payloads include a kernel driver and an HTTP downloader that communicates with a C2 and loads further payloads.
  • BlackLotus has been advertised on underground forums since Oct 2022, with evidence it is real and not a scam.
  • Locale checks block installation on certain locales, indicating targeted deployment considerations during infection.

MITRE Techniques

  • [T1588.005] Obtain Capabilities: Exploits – “BlackLotus used publicly known exploit to bypass UEFI Secure Boot.”
  • [T1203] Exploitation for Client Execution – “BlackLotus installers can exploit CVE-2022-21894 to achieve arbitrary code execution on the systems with UEFI Secure Boot enabled.”
  • [T1542.003] Pre-OS Boot: Bootkit – “BlackLotus bootkit is deployed on the EFI System Partition and executed during the boot.”
  • [T1548.002] Abus Elevation Control Mechanism: Bypass User Account Control – “BlackLotus installer attempts to escalate privileges by bypassing User Account Control.”
  • [T1112] Modify Registry – “BlackLotus installer modifies Windows registry to disable Windows HVCI security feature.”
  • [T1027] Obfuscated Files or Information – “All strings used within the samples are encrypted using a simple cipher.”
  • [T1027.007] Obfuscated Files or Information: Dynamic API Resolution – “BlackLotus components use dynamic API resolution while using API names’ hashes instead.”
  • [T1027.009] Obfuscated Files or Information: Embedded Payloads – “Almost all embedded files in BlackLotus components are encrypted using AES.”
  • [T1614] System Location Discovery – “BlackLotus can exit if one of the following system locales is identified on the compromised host: ro-MD, ru-MD, ru-RU, uk-UA, be-BY, hy-AM, kk-KZ.”
  • [T1082] System Information Discovery – “BlackLotus collects system information (IP, GPU, CPU, memory, OS version) on a compromised host.”
  • [T1016] System Network Configuration Discovery – “BlackLotus HTTP downloader can determine the public IP of a compromised host by requesting api.ipify.org service.”
  • [T1016.001] Internet Connection Discovery – “BlackLotus HTTP downloader checks the internet connection by querying Microsoft’s www.msftncsi.com/ncsi.txt.”
  • [T1132.001] Data Encoding: Standard Encoding – “BlackLotus encodes encrypted data in C&C communication with URL-safe base64.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – “BlackLotus uses 256-bit AES in CBC mode to decrypt messages received from its C&C.”
  • [T1573.002] Encrypted Channel: Asymmetric Cryptography – “BlackLotus uses an embedded RSA public key to encrypt messages sent to C&C.”

Indicators of Compromise

  • [SHA-1] Files – 05846D5B1D37EE2D716140DE4F4F984CF1E631D1, A5A530A91100ED5F07A5D74698B15C646DD44E16, and 2 more hashes
  • [Domain] C2 Domains – xrepositoryx.name, myrepositoryx.com, and 4 more domains
  • [IP] C2 IPs – 104.21.22.185, 164.90.172.211, and 3 more IPs
  • [ Certificate ] Self-signed certificate – Serial 570B5D22B723B4A442CC6EEEBC2580E8; Thumbprint C8E6BF8B6FDA161BBFA5470BCC262B1BDC92A359
  • [URL] C2 URLs – https://xrepositoryx.name/network/API/hpb_gate.php, https://myrepositoryx.com/network/API/hpb_gate.php, and 2 more URLs

Read more: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/