There is allegedly a new and rare type of malware available on the black market that contains features usually reserved for state hacking tools that make it virtually impossible to detect any antivirus software.
Known as BlackLotus, the malware is considered a Unified Extensible Firmware Interface (UEFI) bootkit. UEFI is a computing standard that acts as an interface between the operating system and firmware; when the computer is turned on, UEFI initializes the boot loader, which in turn starts the kernel and operating system.
By loading in the initial boot state, the malware embeds itself in the system firmware, allowing it to bypass all antivirus security checks and thus go undetected.
In an online malware forum where BlackLotus licenses are reportedly selling for $ 5,000 apiece, the vendor claims that even Safe Boot won’t frustrate the tool as a vulnerable bootloader is used. Additionally, they noticed that adding this bootloader to the UEFI revocation list (opens in a new tab) won’t solve the problem as there are currently hundreds of others with the same vulnerability that you can use instead.
Another feature that makes BlackLotus so potentially dangerous is its visible 0-ring / nucleus protection. Computers operate using guard rings that break the system down into different levels depending on how fundamental they are to the operation of the machine to prevent potential hazards and faults from spreading to other parts.
Gaining access through these rings becomes more and more difficult. The core is ring 0, which contains the kernel: this is what connects your software to your hardware. This ring represents the highest level of protection in terms of access, so if BlackLotus does have Ring 0 protection, it would be very difficult to get rid of.
The seller also claimed that BlackLotus has the ability to disable Windows Defender and comes with an anti-debugging feature that prevents detection of malware during scanning.
Not in the hands of the state anymore
Experts caution that BlackLotus scale malware is no longer the exclusive domain of governments and states. Sergey Lozhkin, Kaspersky’s chief security researcher stated (opens in a new tab)“Previously, these threats and technologies were only available to people who developed advanced persistent threats, mainly governments. Now these kinds of tools are in the hands of criminals in all forums. “
Last year, another UEFI bootkit known as ESPecter was discovered and apparently was designed at least 10 years ago for use in BIOS systems, the precursors to UEFI. Their availability outside of state groups is still very rare, at least for the time being.
Another security expert – CTO Eclypsium Scott Scheferman – tried to allay fears, saying that they could not yet be sure of BlackLotus’ alleged claims, arguing that while it might be a step forward in terms of accessibility to such powerful tools, it might still be on early production stage and not run as efficiently as claimed.
Regardless, progress is very fast in the world of cybercriminals, and if there is a profit to be made from the production and use of such powerful malware, there will be no shortage of demand for its development and improvement. Once the cat comes out of the bag, it is very difficult to put it back in.