Examining The Way BlackLotus Wreaks Havoc On Windows Secure Boot
While source code leaks are often a bad thing, in this case it can only be considered wonderful. BlackLotus, which we have covered before, has been horrifying security professionals and IT workers since it was first revealed. It is capable of avoiding Secure Boot and TPM features to infect your drive’s EFI System Partition irrevocably, thus enabling it to launch malware at boot which is completely invisible to your operating system and antivirus protection. The only fix found so far is quite complex to install and needs to be done manually on every single machine you want to secure. Even better, getting it even slightly wrong will brick not only your local drive but also ensure you can’t use any tools to recover the lost data.
The release of BlackLotus’ source code on GitHub, or at least most of it, will let bad actors design new flavours of bootloaders to invisibly infect machines without having to fork over the several thousand dollars the designers charged for access. There isn’t really any good news to accompany this, as what was leaked had already been discovered by security researchers and doesn’t add to their knowledge. What is does do is make it much easier to use this code in conjunction with other bootloader viruses to create new versions of BlackLotus type attacks, which we have no way to detect let alone provide protection against.
At least it’s the weekend soon?
The source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused great concern among the enterprise, governments, and the cybersecurity community.