“We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.” “The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet,” Smolar said. This allowed us to explore the whole execution chain and to realize that what we were dealing with here is not just regular malware.”Ĭertain BlackLotus installation packages, as analyzed by ESET, refrain from carrying out the installation of the bootkit in case the affected host employs regional settings associated with Armenia, Belarus, Kazakhstan, Moldova, Russia, or Ukraine. “After an initial assessment, code patterns found in the samples brought us to the discovery of six BlackLotus installers. “Our investigation started with a few hits on what turned out to be (with a high level of confidence) the BlackLotus user-mode component - an HTTP downloader - in our telemetry late in 2022,” Smolár said. It also deploys an HTTP downloader that enables communication with the Command and Control server and has the ability to load further user-mode or kernel-mode payloads. The primary objective of BlackLotus, after it has been installed, is to initiate the deployment of a kernel driver, which serves to safeguard the bootkit against any attempts to eliminate it. The bootkit has been able to still exploit the vulnerability post January fix because the validly signed binaries have still not been added to the UEFI revocation list, the mechanism to revoke the digital certificates of UEFI drivers.ĭue to the complexity of the whole UEFI ecosystem and related supply-chain problems, many of the UEFI vulnerabilities have left systems vulnerable even a long time after the vulnerabilities have been fixed, according to ESET.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |