Summary:
Blacklotus UEFI bootkit malware got evolved to bypass secure boot bypass which can infect fully patched Windows 11 systems. This is the first known malware to successfully bypass the Secure Boot mechanism of windows 11, and impair the security protection of the operating system. This malware could also be used to weaken Microsoft Defender’s BitLocker data protection feature and the Hypervisor-protected Code Integrity (HVCI). To note, this malware exploits CVE-2022-21894 which is overlooked since August 2022.
The initial execution of the attack begins with running an installer that plants the file of the bootkit to the EFI system partition. After that, it will finally impair the HVCI and BitLocker protections and reboot the victim’s system to begin the exploitation of CVE-2022-21894. Attackers leverage the use of genuine binaries Windows Hypervisor Loader, Windows Boot Manager, and PE binaries which are vulnerable to CVE-2022-21894 and Boot Configuration Data (BCD). After exploiting CVE-2022-21894 successfully, persistence is attained with UEFI Secure Boot enabled registering the Machine Owner Key (MOK) of the attacker. After it performs another reboot, the self-signed UEFI bootkit is started and then the deploying of the malicious kernel driver and HTTP downloader is performed to finish the malware installation.
Threat Profile:
| Tactic | Technique Id | Technique |
| Resource Development | T1587 | Develop Capabilities |
| T1588 | Obtain Capabilities | |
| Execution | T1203 | Exploitation for Client Execution |
| T1559 | Inter-Process Communication | |
| T1106 | Native API | |
| T1129 | Shared Modules | |
| Persistence | T1542 | Pre-OS Boot |
| T1574 | Hijack Execution Flow | |
| Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
| Defense Evasion | T1134 | Access Token Manipulation |
| T1622 | Debugger Evasion | |
| T1562 | Impair Defenses | |
| T1070 | Indicator Removal | |
| T1036 | Masquerading | |
| T1112 | Modify Registry | |
| T1027 | Obfuscated Files or Information | |
| T1055 | Process Injection | |
| T1497 | Virtualization/Sandbox Evasion | |
| T1497 | Virtualization/Sandbox Evasion | |
| Discovery | T1082 | System Information Discovery |
| T1614 | System Location Discovery | |
| T1016 | System Network Configuration Discovery | |
| Command and Control | T1071 | Application Layer Protocol |
| T1132 | Data Encoding | |
| T1573 | Encrypted Channel |
References:
The following reports contain further technical details: