Malware

Windows Secure Boot evaded by BlackLotus malware

Share

All Windows 11 devices with Secure Boot enabled could be bypassed by the BlackLotus UEFI bootkit, making it the first malware to achieve such a feat, reports The Register. Such evasion of Secure Boot protections is enabled by BlackLotus' exploitation of CVE-2022-21894, which has been addressed by Microsoft in January 2022, and will also allow the deactivation of other security systems, including Windows Defender, Hypervisor-protected Code Integrity, and BitLocker, to facilitate User Account Control evasion, according to an ESET report. BlackLotus then proceeds to distribute a kernel driver that would prevent the removal of bootkit files, as well as an HTTP downloader, which would facilitate payload execution following contact with the command-and-control server, the report showed. "It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled," said ESET malware analyst Martin Smolr.

Related

Chinese malware attack hits Tibetan websites

TAG-112 may be a subgroup of Chinese advanced persistent threat group Evasive Panda, also known as TAG-102 and StormBamboo, due to significant similarities in attack tactics, techniques, and procedures, an analysis from Recorded Future's Insikt Group revealed.

Related Events

Related Terms

Adware

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.