This dangerous UEFI bootkit can hijack your Windows PC with ease

New threat bypasses Windows antivirus protections

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A dangerous bootkit has been spotted on the dark web that is capable of bypassing cybersecurity solutions and installing all sorts ofmalwareon a vulnerableendpoint.

A new report from cybersecurity experts ESET claims the bootkit is, most likely, BlackLotus, an infamous piece of malware being sold on the dark web for roughly $5,000.

Not only can BlackLotus bypassantivirusprograms, but it can also run on fully updatedWindows 11devices, with UEFI Secure Boot enabled.

Sparing Russia and its neighbors

To make the bootkit work, its makers exploited CVE-2022-21894, a known vulnerability thatMicrosoftpatched more than a year ago. However, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list, ESETexplained. That means BlackLotus can bring its own copies of legitimate, vulnerable binaries, and then exploit the flaw.

After disabling the antivirus (which even includes Windows Defender), the bootkit can deploy a downloader which can then install other malicious payloads. The researchers also spotted that the installer spares devices located in Armenia, Belarus, Kazakhstan, Moldova, Russia, and Ukraine.

BlackLotus has been making rounds on the dark web, being sold for roughly $5,000. However, many researchers believed the ads were a fake, and that the malware didn’t really exist.

‘Near-undetectable’ hacking tool up for sale on malware forum>A new dangerous malware is turning Windows and Linux devices into DDoS tools>Here’s our list of the best ransomware removal tools

“We can now present evidence that the bootkit is real, and the advertisement is not merely a scam,” says ESET researcher Martin Smolár. “The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit’s easy deployment and crimeware groups’ capabilities for spreading malware using their botnets.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The ability to control the entire OS boot process makes UEFI bootkits an extremely potent weapon, ESET concluded. Threat actors that successfully deploy it can operate on the target endpoint stealthily, and with high privileges. So far, a handful of UEFI bootkits were observed in the wild.

“The best advice, of course, is to keep your system and its security product up to date to raise the chance that a threat will be stopped right at the beginning, before it’s able to achieve pre-OS persistence,” Smolár concluded.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

VIPRE Security Group says its new endpoint protection tools can stamp out even the latest cybersecurity threats