Sneaky malware BlackLotus can bypass important Windows boot functions

Cybersecurity researchers are warning about powerful new malware designed to dodge an important security feature that runs when Microsoft Windows users boot up their computers.

The “bootkit” malware, dubbed BlackLotus, allows hackers to bypass UEFI Secure Boot, which watches for malicious software as a Windows machine starts up the firmware that controls basic hardware functions.

“[W]hat we were dealing with here is not just regular malware,” cybersecurity company ESET said earlier this month. Eclypsium, which specializes in firmware and hardware security, followed up with a post Thursday calling BlackLotus “the first in-the-wild bootkit that can bypass Secure Boot.”

BlackLotus exploits a Windows vulnerability that Microsoft patched a year ago, but researchers say the malware can get around that update. Applying the patch “does not mitigate an attacker’s ability to carry out the subsequent attack chain,” Eclypsium said, because it’s possible for hackers to install an older, vulnerable version of the boot manager as part of an attack.

Once BlackLotus has persistence in the boot process — meaning that it runs every time the computer starts up — it’s capable of “disabling OS security mechanisms such as BitLocker, HVCI, and Windows Defender,” ESET said.

The goal is to get additional malware on the machine, giving hackers an array of options for surveilling or disrupting a network.

The researchers note that for BlackLotus to succeed on a patched computer, an attacker would already need some sort of administrative access. But the malware’s users probably have other goals, Eclypsium said.

“While true that the attacker in this scenario already has elevated privileges on the system they are elevating to even higher privileges to bypass even more security measures,” the company said.

BlackLotus first caught the attention of researchers in October 2022 after a post on an underground web forum offered the malware for $5,000, with the ability to receive further updates for $200 apiece. Some suggested it might be fake.

ESET looked at individual claims made about BlackLotus online and found them all to be true in one way or another. The company did find examples of the malware being used for attacks, but not many.

“The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet,” ESET said.