A harmful bootkit has been noticed on the darkish internet that’s able to bypassing cybersecurity options and putting in all kinds of malware on a weak endpoint.

A brand new report from cybersecurity specialists ESET claims the bootkit is, probably, BlackLotus, an notorious piece of malware being bought on the darkish internet for roughly $5,000. 

Not solely can BlackLotus bypass antivirus applications, however it will probably additionally run on totally up to date Home windows 11 gadgets, with UEFI Safe Boot enabled.

Sparing Russia and its neighbors

To make the bootkit work, its makers exploited CVE-2022-21894, a recognized vulnerability that Microsoft patched greater than a 12 months in the past. Nevertheless, its exploitation remains to be doable because the affected, validly signed binaries have nonetheless not been added to the UEFI revocation record, ESET defined (opens in new tab). Which means BlackLotus can convey its personal copies of reliable, weak binaries, after which exploit the flaw. 

After disabling the antivirus (which even consists of Home windows Defender), the bootkit can deploy a downloader which may then set up different malicious payloads. The researchers additionally noticed that the installer spares gadgets positioned in Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.

BlackLotus has been making rounds on the darkish internet, being bought for roughly $5,000. Nevertheless, many researchers believed the adverts had been a pretend, and that the malware didn’t actually exist.

“We will now current proof that the bootkit is actual, and the commercial will not be merely a rip-off,” says ESET researcher Martin Smolár. “The low variety of BlackLotus samples we’ve got been capable of get hold of, each from public sources and our telemetry, leads us to imagine that not many risk actors have began utilizing it but. We’re involved that issues will change quickly ought to this bootkit get into the arms of crimeware teams, primarily based on the bootkit’s simple deployment and crimeware teams’ capabilities for spreading malware utilizing their botnets.”

The flexibility to regulate your entire OS boot course of makes UEFI bootkits an especially potent weapon, ESET concluded. Risk actors that efficiently deploy it will probably function on the goal endpoint stealthily, and with excessive privileges. To date, a handful of UEFI bootkits had been noticed within the wild. 

“One of the best recommendation, in fact, is to maintain your system and its safety product updated to boost the possibility {that a} risk might be stopped proper firstly, earlier than it’s capable of obtain pre-OS persistence,” Smolár concluded.

• Try the very best firewalls (opens in new tab) proper now