Analytics Story: BlackLotus Campaign

Description

The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality

Why it matters

The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window hasn't gone unnoticed by threat actors. As a result, the first publicly known UEFI bootkit bypassing the essential platform security feature UEFI Secure Boot is now a reality. present the first public analysis of this UEFI bootkit, which is capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Functionality of the bootkit and its individual features leads us to believe that we are dealing with a bootkit known as BlackLotus, the UEFI bootkit being sold on hacking forums for $5,000 since at least October 2022. (ESET, 2023) The following content aims to aid defenders in detecting suspicious bootloaders and understanding the diverse techniques employed in this campaign.

Detections

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon EventID 1	Windows	xmlwineventlog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12	Windows	xmlwineventlog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13	Windows	xmlwineventlog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3	Windows	xmlwineventlog	XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

• https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
• https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/

Source: GitHub | Version: 1