BlackLotus Eats Secure Boot For Breakfast And Likes It
How To Own A Computer In Just 80kb
BlackLotus was in the news last year, after some oddities were detected and submitted to VirusTotal. Those initial detections and further suspicious activity reported to ESET suggested that this was something new. The infection seemed exceptionally resilient, surviving reimaging, hard drive replacements and evading UEFI Secure Boot. It took the experts some time to unravel BlackLotus and determine exactly what is was doing, but they have finally succeeded and the news is not good.
BlackLotus infects your motherboard’s UEFI, more specifically the EFI System Partition which is not protected by the same security features that are found on the SPI chip which you update every time you flash to a new BIOS. That allows the infection to load before Secure Boot or any of the other security features on your hardware can, which gives it time to pull a nasty trick. The malware registers it’s own machine owner key as valid, in combination with a shim loader signed by various Linux distributors. At that point, every reboot fires up the bootkit ensuring the attackers are still able to load in any infections which your antivirus manages to remove.
That is the real use of BlackLotus, the ability to render a machine permanently vulnerable to other malware attacks by granting admin access to processes in order to leverage any other system vulnerabilities present on your system. There is nothing you can do to remove it if you have been infected, short of tossing your motherboard. However, keeping your system up to date with patches will limit secondary infections which will protect against the secondary infections which BlackLotus tries to load onto your system.
If you want to terrify yourself, read the full story at Ars Technica where they delve into the technical aspects of this fresh hell.
While researchers have found Secure Boot vulnerabilities in the past, there has been no indication that threat actors have ever been able to bypass the protection in the 12 years it has been in existence. Until now.