New Windows UEFI rootkit Black Lotus has been observed by cybersecurity expert Scott Scheferman to be promoted on underground forums to feature security software deactivation capabilities similar to those employed by state-sponsored threat groups, SecurityWeek
Aside from featuring geofencing that prevents infections in countries in the Commonwealth of Independent States, Black Lotus also has anti-debugging, anti-virtualization, and code obfuscation capabilities, as well as the ability to disable Windows Defender
, BitLocker, and Hypervisor-protected Code Integrity. Scheferman also said that BlackLotus does not only have the capability to evade user access control and secure boot, but could also enable file transfer and tasking support, making it a formidable IT and OT environment security risk.
"Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we've made (e.g. Trickbot's #Trickboot module), this represents a bit of a 'leap' forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction," Scheferman added.